But even if you accept the author's distinction, the conclusion seems wrong -- moving your SSH port is security through obscurity, albeit relatively weak.
If I attempt to connect to port 22 and there's nothing there, then I don't know whether the machine has SSH or not. So the mechanism is being hidden. Therefore... security through obscurity.
(If, on the other hand, a connection to port 22 somehow failed with an error message "wrong SSH port!" then, in that case, it wouldn't be obscurity.)
The main reasons it's weak is that you can port scan to discover if it exists, and it's likely in the first place that many machines have SSH because alternatives are less common.
But it is still a first layer of security through obscurity, by definition. (Regardless of whether you think it's useful or good or not.)
This response is missing the author's point. There's a distinction between obscuring the methods and obscuring a parameter to those methods.
Security by obscurity, and in particular its negative connotation refers to obscuring methods. The reason it has a negative connotation is that the amount of work it takes to implement a secure system is high relative to the amount it takes to break it. By contrast, the amount of work needed to generate an RSA key, new port number, etc... is incredibly low relative to the amount of work it takes someone to break it.
Security by layers is important, but the article's point is that the ratio of effort to benefit for changing your port number is far far higher than the term "security by obscurity" generally implies.
> This response is missing the author's point. There's a distinction between obscuring the methods and obscuring a parameter to those methods.
But that's exactly the distinction I'm saying the author is getting wrong.
Moving away from the default SSH port is obscuring the method, because it's no longer a single step to check whether the server even has SSH or not. It might not at all, so the port number doesn't serve primarily as a parameter -- it serves primarily to obscure its existence in the first place.
To use the article's presidential motorcade analogy, it's not like knowing there's a motorcade but not knowing which car the president it's in. Instead, it's like not knowing if there's a motorcade at all, and having to check every car in the city to see if the president is even out in public in the first place.
If I attempt to connect to port 22 and there's nothing there, then I don't know whether the machine has SSH or not. So the mechanism is being hidden. Therefore... security through obscurity.
(If, on the other hand, a connection to port 22 somehow failed with an error message "wrong SSH port!" then, in that case, it wouldn't be obscurity.)
The main reasons it's weak is that you can port scan to discover if it exists, and it's likely in the first place that many machines have SSH because alternatives are less common.
But it is still a first layer of security through obscurity, by definition. (Regardless of whether you think it's useful or good or not.)