I think the article misses more important attack vector focusing on brute force, instead of human weaknesses.
Obscurity is naturally fragile, vulnerable to social engineering. Social engineering is the real problem. We can filter out brute force easily. It can be fail2ban, or even simplest ip-tables rules like
iptables -A INPUT -j REJECT -p tcp --dport 22 -m state --state NEW -m recent --name TCP_SSH --update --rttl --seconds 600 --hitcount 15 --reject-with icmp-port-unreachable
iptables -A INPUT -j REJECT -p tcp --dport 22 -m state --state NEW -m recent --name TCP_SSH --update --rttl --seconds 60 --hitcount 5 --reject-with icmp-port-unreachable
iptables -A INPUT -j ACCEPT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -m recent --name TCP_SSH --set
If you move from passwords to SSH keys, it increases security not really because number of possible keys is larger than number of possible passwords. More important is that you eliminate bad practice. One cannot share SSH key over phone conversation, write it down on a piece of paper and stick it to a monitor. Change is nothing similar to upgrading from 1024 bit SSH keys to 3072 bit SSH keys. If you store SSH key on some HSM, like YubiKey, even better, no one can copy this key, only steal.
You cannot really hide IP address or port number. You'll send this information to your colleagues and partners over SMS, Facebook Messenger, Whatsapp, Viber, Telegram, E-mail, Skype, Zoom, many times, multiple channels. Or you will write it down on a Wiki, like Confluence, which is public to entire organization, and that knowledge is not a secret anymore.
My greatest fear is not a script kiddo with botnet, but an addict employee with debts.
Obscurity is naturally fragile, vulnerable to social engineering. Social engineering is the real problem. We can filter out brute force easily. It can be fail2ban, or even simplest ip-tables rules like
If you move from passwords to SSH keys, it increases security not really because number of possible keys is larger than number of possible passwords. More important is that you eliminate bad practice. One cannot share SSH key over phone conversation, write it down on a piece of paper and stick it to a monitor. Change is nothing similar to upgrading from 1024 bit SSH keys to 3072 bit SSH keys. If you store SSH key on some HSM, like YubiKey, even better, no one can copy this key, only steal.You cannot really hide IP address or port number. You'll send this information to your colleagues and partners over SMS, Facebook Messenger, Whatsapp, Viber, Telegram, E-mail, Skype, Zoom, many times, multiple channels. Or you will write it down on a Wiki, like Confluence, which is public to entire organization, and that knowledge is not a secret anymore.
My greatest fear is not a script kiddo with botnet, but an addict employee with debts.