No, Moving Your SSH Port Isn't Security by Obscurity


I just came across another post on Hacker News talking about why you shouldn’t move your SSH port off of 22 because it’s Security by Obscurity.

There are some good reasons not to move SSH ports in certain environments, such as usability.

People absolutely love to invoke the “Security by Obscurity” boogeyman, and it makes them feel super smart when they do. It’s a conversation ender.

Oh man, that’s nothing but Security by Obscurity… (Ryu Fireball)

(The victim covers their face, packs, and leaves town)

It’s true that Security by Obscurity is bad; the problem is many people have no idea when it applies. Including most of the people being loudest about it. Let me tell you the secret to this debate that will permanently solve it for you.

Security by Obscurity is when you hide how a security measure works, not when you keep some part of it a secret.

Let me repeat that a few different ways, with examples.

Certain types of security controls (like encryption) have two components: the mechanism, and the key. In encryption, the mechanism is the algorithm, and the key is, well…the key.

The question is whether you’re hiding the mechanism or the key.

If you hide how the algorithm works, you’re using Security by Obscurity. And that’s bad. We all agree there. But how about these examples?

These are all well-known by attacker and defender.

  • Frequency hopping on a radio system to avoid eavesdropping
  • A dead-drop mechanism used by spies to exchange notes and packages
  • The use of camouflage on tanks and planes in war
  • The use of decoy limos for heads of state in dangerous areas

Here we have something that’s clearly being hidden. We’re hiding the frequency we’re using. We’re hiding the location of the dead-drop. We’re hiding the location of the tank in the desert by making it look like sand. And we’re hiding which limo the President is actually in so it’ll be harder to attack him.

Is that Obscurity?

No. It’s not. And here’s why. Nobody is hiding the mechanism.

Even if your enemy knows you’re camouflaged somewhere in the dessert all their work is still ahead of them.

Everyone knows what’s going on. Everyone knows that the tank is somewhere in the desert, they just can’t see it to shoot it. Everyone knows the President is in one of those three helicopters, but it’s way more dangerous and expensive to guess which one and fire. And with the dead-drop, you know the package is somewhere in Central Park, but you don’t know where.

Increasing attacker effort is invaluable.

Importantly, it’s very expensive to take the time to check all the places the target could be. For a package. For a President. For a camouflaged tank.

And yes—for an SSH port.

It’s fine that people know you changed your SSH port. But now they have to scan all the ports and find the new one. Sure, that’s not too difficult, but many people are actually going to do that? Not many, because it’s costly in terms of time and effort.

I did an experiment one weekend and got ~10,000 probes on port 22 and 4 on some random high port.

In short, you just made it harder for the enemy to successfully attack you by giving them a resource problem. Sure, they can check under every rock in Central Park and eventually find the package, but you’ll be done with the mission by then.

Obscurity doesn’t apply if people know the mechanism you’re using and they simply have a resource problem. Having a known defense but a hidden key is a well-established part of good security, and it has been for millennia.

Summary

  1. Yes, Security by Obscurity is bad.
  2. But most people don’t know what it actually is.
  3. It’s where you keep the mechanism secret, not the key.
  4. As long as you have a good key, it’s ok for people to know the mechanism.
  5. Don’t let people term-shame you who don’t grasp the underlying concepts.

Notes

  1. Changing an SSH port is a lot like a dead-drop or camouflage. It’s not good security by itself. The tank still needs armor. The message should still be encrypted. But it’s a layer.