I think it depends on what system you are talking about and where it is. So if you have an internet-facing server running sshd on port 22 then you are going to get hammered with low-effort, automated scans and changing to non-standard port can cut down on noise and at least "hides" you from low-effort attackers. But if your server is in a hardened, private subnet then any attacker that is even in a position to connect port 22 has already bypassed multiple layers of security and is already invested so likely won't be in the least bit deterred by a non-standard port.

>The article is correct but they miss the true value add of security through obscurity: signaling lower ROI to attackers. Security through obscurity generally forces attackers to perform more actions and do more recon.

Exactly. I came here to say much the same thing, except with a non-digital analogy.

I live in a (relatively) small apartment building with five floors and four apartments on each floor.

I live on a floor that isn't the top or the bottom floor. That reduces the likelihood that someone who opportunistically gains access to the building entrance or the roof will attempt to access my apartment.

What's more, unless I'm being specifically targeted (which obviates any sort of obscurity argument, given that specific focus is given to a target rather than a service exposed by many), it's pretty unlikely that my apartment will be robbed since there are other, much more accessible apartments than mine.

That's the "security through obscurity" bit, which has a measurable, positive impact on the security of my home and belongings.

However, that doesn't mean locking my door is inappropriate or overkill.

In fact, if I am being specifically targeted, locking my door is likely not sufficient either, as an intruder could bash down my door or drill out the locks to gain entry.

I suppose I could install surveillance cameras focused on my front door (as well as inside my apartment), allowing me to identify intruders after the fact. And I could install safes to hold my valuables as well.

Each of those security precautions have some positive value, and absolutely contribute to the idea of "defense-in-depth".

That said, there is a real trade-off between increased security, cost and usability.

While the relative "obscurity" of my apartment confers some security value, it's not nearly enough to stop someone from trying all the doors in the building, so I lock my door. I don't, however, have safes in my home or surveillance cameras outside the door and in every room, as that (unless I'm being specifically targeted) doesn't add enough value to justify the cost of such measures.

Which brings us to the point of security -- which is to protect assets. However, if the cost expended (in resources and usability) is greater than the value of the asset(s) being protected, it doesn't make sense to do so.

Security through obscurity can (but doesn't always) provide a modicum of value, but isn't a complete solution itself. Used in conjunction with other, reasonable (in the context of cost vs. value being protected) measures, it can be a valuable tool.