"
Hello guys,
Just my 2 cents on this and sorry for being tired of hearing "security through obscurity" mantra thrown around all the time.
If the obscurity does not replace security then it's fine.
Changing the default ssh port from 22 to a random upper port can also be considered security through obscurity, but just changing it takes care of 99% of fully automated probes.
Same goes for the default Web UI.
Why not go one step further and add knockd? A simple, unencrypted sequence does not replace your usual security, but it sure gets rid of the vast majority of mindless scanning bots.
Let's all agree to put a huge warning on the knock configuration page, use it if we are tired of deleting logs from exotic countries and keep our opnsense up to date as usual.
Thank you. :)
PS: we still have a GRE device available, right? That's a clear text tunnel. No warnings there, no security required. Yes, I saw noobs doing GREs like they's spliting the atom :)
Just my 2 cents on this and sorry for being tired of hearing "security through obscurity" mantra thrown around all the time.
If the obscurity does not replace security then it's fine.
Changing the default ssh port from 22 to a random upper port can also be considered security through obscurity, but just changing it takes care of 99% of fully automated probes.
Same goes for the default Web UI.
Why not go one step further and add knockd? A simple, unencrypted sequence does not replace your usual security, but it sure gets rid of the vast majority of mindless scanning bots.
Let's all agree to put a huge warning on the knock configuration page, use it if we are tired of deleting logs from exotic countries and keep our opnsense up to date as usual.
Thank you. :)
PS: we still have a GRE device available, right? That's a clear text tunnel. No warnings there, no security required. Yes, I saw noobs doing GREs like they's spliting the atom :)
