In my previous tutorial a few days ago, I’d shown users how to change the default SSH port to which you connect remotely. Today, it’s a standard procedure of “hardening” one’s servers, and it’s not the only situation where you change the defaults in order to thwart spam. Web hosts that install WordPress on their servers, change the database prefix by default these days. Lots of people even recommend getting rid of the “admin” or the “administrator” user in WordPress.
However, there’s a lively section in the security community that scorns these types of measures. The name they use for them is “security by obscurity”, or sometimes “security by obfuscation”.
What is Security by Obfuscation?
The term as originally defined, differs quite a bit from how its generally used today. For reference, it was a locksmith way back in 1851, who criticized lock manufacturers who tried to make their locks immune to picking by hiding the internal design.
And that’s the foundation of security by obscurity. It’s the idea that we can make our systems secure if we hide the design of the system from attackers. Naturally, this is completely contrary to the modern practice of relying on open-source technologies for our servers, where every aspect of the target system is laid out in the open.
Genuine Example of Security by Obscurity
A great example of true “security by obscurity”, is the practice of some website owners to hide the WordPress version from the HTML code. The hope is that attackers who don’t know the version number, won’t be able to target specific vulnerabilities on certain systems.
Here, the idea is to prevent knowledge of the structure of the system from potential hackers.
Modern Usage of Security by Obfuscation
However, the term “security by obscurity” is now in modern parlance for many things beyond mere “hiding the structure”. As I mentioned above, there are those who consider changing the default port number as “security by obscurity”.
Strictly speaking, I don’t think this is a true usage of the term. There is nothing about hiding the underlying structure when you change the port number. In many ways, it’s just an additional piece of knowledge that the attacker needs to obtain to access the system – like a password. But no one calls passwords “security by obscurity”. Because that would be stretching the meaning of the term too far.
The real differentiator in my opinion, is that of obscurity of the underlying mechanism of the system vs the obscurity of a very specific piece of information.
Obfuscation has its Uses
We’ve seen that without changing the port, we can get thousands of failed login attempts in just a few days. This clogs up the log files and takes up system resources. It also leaves you open to tail risks. Security by obfuscation is a valuable tool as long as it’s used in conjunction with other methods.
Which brings us to the key point of this article.
Security is Applied in Layers
A system should have multiple defense systems in place. Changing the SSH port simply filters out the vast number of spam attacks. We are not relying on it to keep our server safe from determined hackers. For those, there are other methods like:
- Disabling root logins
- Using certificates to sign in
- Allowing SSH access only through whitelisted IPs
- and more…
But all of the above have differing levels of complexity to set up and use. Changing the SSH port is such a simple 10-second measure (when done from the command line), and filters out so much junk, that it’s hard for me to find a disadvantage to using it.
Moral of the Story
When it comes to security, it’s almost always a question of “what works”. Not “What is the most ideologically pure method to use?”. Actually, that’s a good principle to use in life generally!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!