Re: Format of host keys in ~/.ssh/known_hosts

Fred Mobach <fred@xxxxxxxxx> writes:
Dag-Erling Smørgrav <des@xxxxxx> writes:
There are plenty of other solutions; the simplest is to move sshd to
a different port, e.g. 443.
Why do I not trust security by obscurity ? I'm afraid that nmap will
show the banners of sshd on any port.

If the problem you're trying to solve is "logs filling up with failed
brute-force attempts", moving sshd to port 443 is a cheap and easy

Oh, and don't sneer at "security by obscurity". Sure, you wouldn't hide
the vault key under the door mat: you'd design the vault so it takes two
separate keys to open it, and give them to two separate persons. But
you wouldn't put up a poster on the vault door with their names and
photos, either.

Hyperbole aside: in this case, it so happens that obscurity can stop
99.9% of all attacks before they reach your *real* defenses and consume
*real* resources. Isn't that worth anything to you?

Dag-Erling Smørgrav - des@xxxxxx