[ale] SSHD reports version info!?

matty91 at bellsouth.net matty91 at bellsouth.net
Thu Feb 19 14:09:33 EST 2004 

On Thu, 19 Feb 2004, Michael H. Warfield wrote:

> On Thu, Feb 19, 2004 at 02:39:42AM -0500, Kevin Krumwiede wrote:
> > (I posted this to the debian-user list but it never showed up.)
>
> > When I telnet to port 22 on my 3.0r2 server, I see this:
>
> > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
>
> > Isn't that considered sensitive information?  Why advertise it so
> > blatantly?  Is there any way turn this banner off?
>
> 	Not really.  If you didn't, an attack can just throw a broad
> spectrum attack at you, no gain.  Someone scanning would spot you and
> just assume that you are obfuscating the information because you're too
> lazy to keep your software up to date and flag you for that extra special
> attention they like to provide from time to time, just after an exploit
> release.

I am not so sure I agree with this. Most of the script kiddie utilities
do pattern matching based on banner information. While this doesn't
protect you from someone with a clue, it would help you deflect
attacks from the ppl d/l'ing sploits on the web.

>
> 	No you can not turn it off and, even if you could, you would then
> break ssh.  That information is not there merely for you edification.
> It's there to tell the client what protocols to speak.  There are
> several different dialects and the client needs to know what it's talking
> to inorder to negotiate the protocols properly.  It's the openning offer
> in the protocol.

Well, OpenBSD/FreeBSD have the "VersionAddendum" option. My friend
configures his Openssh server to report:

VersionAddendum Windows 2000 Professional Server

You should be able to grab these patches if you are concerned about
the OS information in the banner.

>
> 	Some of the information (Like from "Debian" to the end of line)
> is mutable and you could trash it.  That first openning string, however,
> should NOT be tampered with.
>
> > Thanks,
> > Krum
>
> 	Mike
> --
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
>

Ryan Matteson - UNIX Administrator | GPG ID: 92D5DFFF
Public Key: http://www.daemons.net/~matty/public_key.txt
Fingerprint = 4BEC 6145 30A6 BCE6 5602 FF11 4954 165D 92D5 DFFF

More information about the Ale mailing list