• @boatswain@infosec.pub
    link
    fedilink
    1511 months ago

    I see this claim all the time, and it bugs me every time. Obfuscation is a perfectly reasonable part of a defense in depth solution. That’s why you configure your error messages on production systems to give very generic error messages instead of the dev-centric messages with stack traces on lower environments, for example.

    The problem comes when obscurity is your only defense. It’s not a full remediation on its own, but it has a part in defense in depth.

    • @dan@upvote.au
      link
      fedilink
      711 months ago

      Changing the port isn’t really much obfuscation though. It doesn’t take long to scan all ports for the entire IPv4 range (see masscan)

      • @lud@lemm.ee
        link
        fedilink
        511 months ago

        It helps against stupid automated attacks though.

        If someone has changed the port it’s likely that they have set up a great password or disabled password auth all together.

        It’s worth it for just having cleaner logs and fewer attempts.

        • @dan@upvote.au
          link
          fedilink
          311 months ago

          It’s worth it for just having cleaner logs

          Those logs are useful to know which IPs to permanently block :)

    • Big P
      link
      fedilink
      English
      211 months ago

      Technically a password is obfuscation anyway