
Leaving services' ports at their default values: convenience VS security - nmaggioni
https://nmaggioni.xyz/2016/06/24/On-default-ports/
======
stephenr
Security by obscurity is not security.

Use fail2ban or similar to ip-block brute force attempts, and minimise public
services like MySQL, etc by requiring a vpn/ssh tunnel to connect.

How is this idea of using random ports for "security" still a thing?

Do the same people suggest md5 for passwords too?

~~~
nmaggioni
I wan't focusing on hardening a server, my point was avoiding simple random
scans for the sake of log management. Maybe I've used the word "security" too
lightheartedly?

~~~
stephenr
Fail2ban still solves that problem. A few entries with failed auth, and hey
presto no more log entries because it's rejected by the firewall.

It's a well established pattern for brute force tools to not just try the
default port, but perform a port scan to detect listening ports, and then try
those.

Putting your services on other ports just makes things inconvenient for the
user, nothing more.

