A frequent topic of conversation amongst IT people and system administrators in particular is security through obscurity. Most experienced system administrators will tell you that there is no real security to be gained through obscurity. Is this true or have they failed to properly consider the whole story?
Now let’s look at what there is to gain if the system, or the firewall in front of it, has decent anti-port scan measures in place. As an example, the firewall I has its port scan detector tripped when three different ports are tried from a single source address within a certain amount of time. Given that there are 65,536 possible port numbers the odds of an attacked finding the correct one are very low indeed.
A hopeful attacker will first try the default port. Unless it gets lucky and locates the correct port on the next two attempts then for all practical purposes it will appear to that source that my system is no longer on the Internet. Using the front door analogy, it’s somewhat similar to having armed guards and vicious watchdogs patrolling your property.
If the attacker uses a distributed port scan (scans from multiple source addresses) the odds are definitely better but unless we’re talking about several thousand sources the odds of finding the correct port during a single scan are still pretty low. It’s a bit like having multiple intruders on your property trying to dodge the guards and dogs while looking for the lock.
What does all this mean in the real world? Security through obscurity is of no real value on its own. However, when used as part of an overall toolkit that includes anti-port scan measures there can be quite a significant advantage. So the next time someone tells you security through obscurity is a waste of time maybe you should wonder about just what they have done for security, as it’s likely to be nowhere near enough.
What your saying makes a certain amount of sense for some things, but taking your SSH example there are far better ways (and just as easy to perform) so it makes no sense to do it for SSH.
-You can leave SSH on port 22 and use public key.
-Restrict your firewall to allow SSH from known good hosts.
These are just two but both are safer than obscurity
While I do use public key authentication whenever possible there are situations, normally outside my control, where that is not an option. Equally, it’s not always possible to restrict access to known hosts because some systems need to be accessible from anywhere, such as when I’m traveling and won’t know in advance where I’ll be or from what system I will make the connection. Of course that’s not the point of what I wrote, which is that the use of obscurity can give an increase in security, provided it’s coupled with other measures. It’s not a case of having to decide between obscurity and the methods you’ve described, as in most case they can all be applied. They are not mutually exclusive. Every additional layer adds strength.