Security by obscurity

The weakest form of security is that obtained through obscurity - hiding what would otherwise be plainly found in hopes it'll be missed.

One of the worst pieces of advice I ever got was to hide the port used by an application. This level of obscurity would allegedly protect my system from outside attackers while still allowing me in. The only problem: it didn’t work.

I applied this advice to two systems the same week – my personal server’s SSH interface and my employer’s mail server.

I had moved my SSH interface to a non-standard port in an attempt to block outside attackers from brute forcing my password. I moved my employer’s SMTP interface to a non-standard port in an attempt to keep it secure until I could add proper authentication. My assumption, based on the advice I’d received, was these were appropriate means of applying additional security.

My assumption was flawed.

Obscurity is not security at all

That weekend, at a conference, three things happened.

Someone broke my server. To this day I don’t know exactly how they got in (likely a random RCE bug in an application I was hosting). All I knew was that my site was misbehaving and I needed to fix it immediately as I was about to lecture on what I’d built.

Unfortunately, the conference network connection only allowed standard ports. I could use 80 and 443 for web traffic. I could use 22 for SSH to a server. Attempting to connect to SSH over port 44 was blocked entirely. Rather than lecture on a potentially hacked site, I called my provider and had them terminate the server. I restored from a backup the following week.

Obscuring the port for my SSH connection didn’t afford me extra security. It merely made my server harder to manage. That I was still using password-based authentication (rather than a stronger key-based configuration) meant an attacker only had to guess my open port. This is easily done through port scanning on a known IP address, then brute forcing my (admittedly quite weak) password.

Hiding a port is a minor impediment

It took about 12 hours for attackers to discover the non-standard port I’d set up for my employer’s SMTP interface. After that, it was only 4 hours later before our IP address was blacklisted for acting as an open relay for spammers.

Changing the port used by SMTP did absolutely nothing to keep the bad actors out; it merely slowed them down by a few hours.

In the end, it cost me several days of work to remediate the issues. Applying for removal from blacklists. Configuring proper authentication with a real email gateway. I used obscurity as a quick hack to work around a larger problem, and that turned out to be a crippling mistake.

Real security or nothing

Digital security is fundamentally analogous to security in the real world. If you don’t have time or budget to put a lock on your front door, moving the front door to the back of the house is not an adequate solution. Relocating a point of entry or otherwise obscuring access does nothing to promote real security.

Instead, focus on concrete steps that do provide additional safety. Use only strong passwords. Wherever possible, leverage key-based authentication. Implement multiple authentication factors. Leverage standard ports but with proper firewall filtering on allowed traffic.

Obscurity is never an adequate substitute for doing the real work to embrace and encourage security.