You have likely heard the expression “security through obscurity”, and you may have even considered adopting it as a policy at one point or another. It is convenient to believe that an “obscure” server is secure because no one knows about it, but this is not a very realistic theory.
As a rule, any device attached to a network or the Internet is potentially vulnerable to attackers within that network or Internet. In other words, once your server is connected to the multiverse that makes up the Internet, there is no way to remain completely anonymous. But the expression is “security through obscurity”, and it is still possible to be relatively obscure, even if you are not completely anonymous. The real question to ask yourself is: Is it safe?
Essentially, the principle of security through obscurity dictates that you do not need to be overly concerned with firewalls, vulnerability scans, malware protection, and other security measures because attackers do not know your server exists. For example, your server’s only purpose may be to host private cloud applications for your business. While it is connected to the Internet, it has no public websites.
The problem with this theory lies in the assumption that attackers deliberately select servers as targets. This may be true of high-profile targets in huge DDoS attacks, but it is usually not the case in other situations. Instead, attackers often use software to scan for vulnerable servers, meaning your server could be attacked no matter how obscure you think it is. Some attackers will even use your server as a launchpad to strike those high-profile targets you thought you could avoid. The only real solution is to take steps to secure your server properly. There is no true security through obscurity, only servers biding their time until disaster strikes.