[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

> > On Thu, Feb 19, 2004 at 02:39:42AM -0500, Kevin Krumwiede wrote:
> > > (I posted this to the debian-user list but it never showed up.)
> >
> > > When I telnet to port 22 on my 3.0r2 server, I see this:
> >
> > > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
> >
> > > Isn't that considered sensitive information?  Why advertise it so
> > > blatantly?  Is there any way turn this banner off?
> >
> > 	Not really.  If you didn't, an attack can just throw a broad
> > spectrum attack at you, no gain.  Someone scanning would spot you and
> > just assume that you are obfuscating the information because you're too
> > lazy to keep your software up to date and flag you for that extra special
> > attention they like to provide from time to time, just after an exploit
> > release.

> I am not so sure I agree with this. Most of the script kiddie utilities
> do pattern matching based on banner information. While this doesn't
> protect you from someone with a clue, it would help you deflect
> attacks from the ppl d/l'ing sploits on the web.

	Not a prayer.  Some do pattern matching and some will kick out
"unusual" matches for, errr, deeper analysis.  The worms tend to be
extremely simplistic.  Don't assume that of the attackers.

> > 	No you can not turn it off and, even if you could, you would then
> > break ssh.  That information is not there merely for you edification.
> > It's there to tell the client what protocols to speak.  There are
> > several different dialects and the client needs to know what it's talking
> > to inorder to negotiate the protocols properly.  It's the openning offer
> > in the protocol.

> Well, OpenBSD/FreeBSD have the "VersionAddendum" option. My friend
> configures his Openssh server to report:

> VersionAddendum Windows 2000 Professional Server

	Yeah, I think that just affects the mutable portion and leaves
the protocol portion alone.  You still can't just "turn it off" and it's
still going to identify the version of OpenSSH.

> You should be able to grab these patches if you are concerned about
> the OS information in the banner.

> > 	Some of the information (Like from "Debian" to the end of line)
> > is mutable and you could trash it.  That first openning string, however,
> > should NOT be tampered with.
> >
> > > Thanks,
> > > Krum
> >
> > 	Mike
> > --
> >  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
&gt; &gt;   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  <a  rel="nofollow" href="http://www.wittsend.com/mhw/";>http://www.wittsend.com/mhw/</a>
&gt; &gt;   NIC whois:  MHW9      |  An optimist believes we live in the best of all
&gt; &gt;  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
&gt; &gt;
&gt; 
&gt; Ryan Matteson - UNIX Administrator | GPG ID: 92D5DFFF
&gt; Public Key: <a  rel="nofollow" href="http://www.daemons.net/~matty/public_key.txt";>http://www.daemons.net/~matty/public_key.txt</a>
&gt; Fingerprint = 4BEC 6145 30A6 BCE6 5602 FF11 4954 165D 92D5 DFFF
&gt; _______________________________________________
&gt; Ale mailing list
&gt; Ale at ale.org
&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  <a  rel="nofollow" href="http://www.wittsend.com/mhw/";>http://www.wittsend.com/mhw/</a>
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available



</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00679" href="msg00679.html">[ale] SSHD reports version info!?</a></strong>
<ul><li><em>From:</em> matty91 at bellsouth.net (matty91 at bellsouth.net)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00642" href="msg00642.html">[ale] SSHD reports version info!?</a></strong>
<ul><li><em>From:</em> kjkrum at comcast.net (Kevin Krumwiede)</li></ul></li>
<li><strong><a name="00659" href="msg00659.html">[ale] SSHD reports version info!?</a></strong>
<ul><li><em>From:</em> mhw at wittsend.com (Michael H. Warfield)</li></ul></li>
<li><strong><a name="00674" href="msg00674.html">[ale] SSHD reports version info!?</a></strong>
<ul><li><em>From:</em> matty91 at bellsouth.net (matty91 at bellsouth.net)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00676.html">[ale] OT: Running computers in an older home	(read	older	circuitry)</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00678.html">[ale] New install of SuSE</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00674.html">[ale] SSHD reports version info!?</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00679.html">[ale] SSHD reports version info!?</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00677"><strong>Date</strong></a></li>
<li><a href="threads.html#00677"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>