Ultimately like most things in security this is an education problem. It's all about people knowing more than what some online "secure SSH guide" tells you, including recommendations to "secure" your machine like changing the port or "disabling root login", etc. Most of it under some scrutiny isn't actually that substantial, but a lot of professionals are out there are treating it like dogma.
> Changing the port of your SSH server to 900 may, in isolation be a fine thing to do, but when actually done in the real world it tends to be a substitute for keeping your SSH server up-to-date, or more realistically, even remembering you opened up the port to the world in the first place.
It's interesting that you frame it this way, because I was thinking of this as the opposite: that the 'theory' being taught is not changing the port because security through obscurity is bad, and that the 'practical' solution is doing all of the things you mention it shouldn't be a substitute for, and only then adding obfuscation methods.
I think we're saying the same thing, that you can't substitute obfuscation for 'legitimate' security measures, but from different perspectives.
> Changing the port of your SSH server to 900 may, in isolation be a fine thing to do, but when actually done in the real world it tends to be a substitute for keeping your SSH server up-to-date, or more realistically, even remembering you opened up the port to the world in the first place.
It's interesting that you frame it this way, because I was thinking of this as the opposite: that the 'theory' being taught is not changing the port because security through obscurity is bad, and that the 'practical' solution is doing all of the things you mention it shouldn't be a substitute for, and only then adding obfuscation methods.
I think we're saying the same thing, that you can't substitute obfuscation for 'legitimate' security measures, but from different perspectives.