[ale] SSHD reports version info!?
Michael H. Warfield
mhw at wittsend.com
Thu Feb 19 14:19:32 EST 2004
On Thu, Feb 19, 2004 at 02:08:29PM -0500, matty91 at bellsouth.net wrote:
> On Thu, 19 Feb 2004, Michael H. Warfield wrote:
> > On Thu, Feb 19, 2004 at 02:39:42AM -0500, Kevin Krumwiede wrote:
> > > (I posted this to the debian-user list but it never showed up.)
> > > When I telnet to port 22 on my 3.0r2 server, I see this:
> > > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
> > > Isn't that considered sensitive information? Why advertise it so
> > > blatantly? Is there any way turn this banner off?
> > Not really. If you didn't, an attack can just throw a broad
> > spectrum attack at you, no gain. Someone scanning would spot you and
> > just assume that you are obfuscating the information because you're too
> > lazy to keep your software up to date and flag you for that extra special
> > attention they like to provide from time to time, just after an exploit
> > release.
> I am not so sure I agree with this. Most of the script kiddie utilities
> do pattern matching based on banner information. While this doesn't
> protect you from someone with a clue, it would help you deflect
> attacks from the ppl d/l'ing sploits on the web.
Not a prayer. Some do pattern matching and some will kick out
"unusual" matches for, errr, deeper analysis. The worms tend to be
extremely simplistic. Don't assume that of the attackers.
> > No you can not turn it off and, even if you could, you would then
> > break ssh. That information is not there merely for you edification.
> > It's there to tell the client what protocols to speak. There are
> > several different dialects and the client needs to know what it's talking
> > to inorder to negotiate the protocols properly. It's the openning offer
> > in the protocol.
> Well, OpenBSD/FreeBSD have the "VersionAddendum" option. My friend
> configures his Openssh server to report:
> VersionAddendum Windows 2000 Professional Server
Yeah, I think that just affects the mutable portion and leaves
the protocol portion alone. You still can't just "turn it off" and it's
still going to identify the version of OpenSSH.
> You should be able to grab these patches if you are concerned about
> the OS information in the banner.
> > Some of the information (Like from "Debian" to the end of line)
> > is mutable and you could trash it. That first openning string, however,
> > should NOT be tampered with.
> > > Thanks,
> > > Krum
> > Mike
> > --
> > Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
> > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in the best of all
> > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
> Ryan Matteson - UNIX Administrator | GPG ID: 92D5DFFF
> Public Key: http://www.daemons.net/~matty/public_key.txt
> Fingerprint = 4BEC 6145 30A6 BCE6 5602 FF11 4954 165D 92D5 DFFF
> Ale mailing list
> Ale at ale.org
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 307 bytes
Desc: not available
More information about the Ale