Leaving services' ports at their default values: convenience VS security (opens in new tab)

(nmaggioni.xyz)

1 pointsnmaggioni10y ago3 comments

3 comments

3 comments · 1 top-level

stephenr10y ago· 2 in thread

Security by obscurity is not security.

Use fail2ban or similar to ip-block brute force attempts, and minimise public services like MySQL, etc by requiring a vpn/ssh tunnel to connect.

How is this idea of using random ports for "security" still a thing?

Do the same people suggest md5 for passwords too?

nmaggioniOP10y ago

I wan't focusing on hardening a server, my point was avoiding simple random scans for the sake of log management. Maybe I've used the word "security" too lightheartedly?

stephenr10y ago

Fail2ban still solves that problem. A few entries with failed auth, and hey presto no more log entries because it's rejected by the firewall.

It's a well established pattern for brute force tools to not just try the default port, but perform a port scan to detect listening ports, and then try those.

Putting your services on other ports just makes things inconvenient for the user, nothing more.

j / k navigate · click thread line to collapse