Google is known to obey it, and the question was about avoiding getting
your site indexed by Google.

Of course, that doesn't mean someone won't find the site on their own.
If the link to it is on some other page that isn't blocked by
robots.txt, someone might stuble across that page and then click on the
link.

But if you're mainly worried about someone googling the words that are
on your website and Google sending them to the development version
instead of the production version, you're pretty safe.

Actually, DNS has very little impact on this at all. AFAIK, Google
doesn't crawl DNS, it just crawls web pages and follows links. My
company's development server is in DNS, and it's not firewalled (we all
work from our homes, there's no company network to restrict access
with), but I've never heard of anyone accidentally being directed there
by Google, because we don't publish links to this server.

I agree on using non-standard ports as well.

Moving SSH to a non-standard port is a perfect example of how to actually ID bad actors. It follows that any host connecting to 22 is clearly traffic that needs to be dropped and blocked. And if that host is blocked then any other connections it would attempt (eg port 80) are also blocked. I am reluctant to say "one and done" but it is pretty close.

Alternatively, using PF on a BSD with this rule:

pass in on $ext_if proto tcp from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 2/120, overload <ssh-bruteforce> flush global)

Will only allow 2 connections within two minutes before the host is blacklisted.

John

-----Original Message-----
From: bind-users [mailto:bind-users-***@lists.isc.org] On Behalf Of Paul Kosinski
Sent: Wednesday, October 24, 2018 11:24 AM
To: bind-***@lists.isc.org
Subject: Re: Question about visibility

Maybe port scanners will find open ports pretty quickly, but I've found that using non-standard ports is helpful in reducing traffic, at least.
For example, SSH on port 22 gets lots of SYNs but moving it elsewhere, and making 22 totally unresponsive discourages most such attempts. This increases security slightly a priori, and may also improve security by simplifying the firewall log(s).

When using OpenVPN over UDP, the standard port 1194 can be subject to random and/or attack packets. These have to be processed and rejected (since their HMACs etc. hopefully won't pass decryption). This won't occur in TCP mode, of course, but UDP tends to be more efficient, especially since TCP over TCP tends to clog up.

P.S. When you come right down to it, *all* computer (software) security is "security by obscurity", whether the obscurity of passwords, private keys, etc. For example, DES is no longer used because 56-bit keys are no longer obscure enough to hide from modern computers.


On Wed, 24 Oct 2018 13:24:41 +0000
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users