Skip to main content

This is a new website theme. Help me improve it and give your feedback (opens in a new tab).

Security by Obscurity

Published:

Tags:

Security Sysadmin Tor Planet Debian Planet FSFE
This blog post is more than two years old. It is preserved here in the hope that it is useful to someone, but please be aware that links may be broken and that opinions expressed here may not reflect my current views. If this is a technical article, it may no longer reflect current best practice.

Today this blog post turned up on Hacker News, titled “Obscurity is a Valid Security Layer”. It makes some excellent points on the distinction between good and bad obscurity and it gives an example of good obscurity with SSH.

From the post:

I configured my SSH daemon to listen on port 24 in addition to its regular port of 22 so I could see the difference in attempts to connect to each (the connections are usually password guessing attempts). My expected result is far fewer attempts to access SSH on port 24 than port 22, which I equate to less risk to my, or any, SSH daemon.

I ran with this alternate port configuration for a single weekend, and received over eighteen thousand (18,000) connections to port 22, and five (5) to port 24.

Those of you that know me in the outside world will have probably heard me talk about how it’s insane we have all these services running on the public Internet that don’t need to be there, just waiting to be attacked.

I have previously given a talk at TechMeetup Aberdeen where I talk about my use of Tor’s Onion services to have services that only I should ever connect to be hidden from the general Internet.

Onion services, especially the client authentication features, can also be useful for IoT dashboards and devices, allowing access from the Internet but via a secure and authenticated channel that is updated even when the IoT devices behind it have long been abandoned.

If you’re interested to learn more about Onion services, you could watch Roger Dingledine’s talk from Def Con 25.