LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-15-2007, 05:57 AM   #1
hairysocks
Member
 
Registered: May 2002
Location: Thorverton, Near Exeter, Devon, England
Distribution: Ubuntu 10.04 (used to be Red Hat 7.1, then Red Hat 9, then FC 2, FC 5, FC 6, FC 9 and Ubuntu 8.04)
Posts: 103

Rep: Reputation: 16
Stop SSHD reporting its Local version string


How can I get sshd to stop reporting its Local version string when someone tries to connect using telnet? At the moment, if you try this:

$ telnet serveraddress 22

then SSHD responds with something like:

SSH-2.0-OpenSSH_3.9p1

Protocol mismatch.

Connection to host lost.
$

This is security weakness because it reveals the version of ssh that is running. I would like to have sshd not reveal its version. Is this possible without any recompiling needed?
 
Old 06-15-2007, 08:10 AM   #2
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
sshd will always report its version number, it is necessary for the clients to connect. There is no way to disable this.
 
Old 06-15-2007, 08:24 AM   #3
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
And for the one-millionth time... this isn't a "security risk".

What IS a security risk is not running the latest version of SSH. Anything else is just skirting the issue (i.e. not being up-to-date but "pretending" that you are... it won't fool anybody but yourself).

Most attackers, when faced with a particular server they wish to attack, will of course see the version number. However, absence of a version number, one that isn't valid or one that isn't the very latest is an indication that the server administrator probably ISN'T running the latest version and therefore it's worth trying EVERYTHING that works for ANY version.

And additionally, most tools of the kind that would attack ignore things like reported version strings and either a) blindly try everything on every server they find or b) use heuristics to "guess" what the real version is or whether it's vulnerable (you can't really do this for SSH because nobody has really bothered to make a comprehensive tool because of the "you can't disable the version string" code - which means that any SSH attacks will blindly attack anyway).

If anything, this draws attention to you, rather than puts people off. Seriously... which of these reports on your "ultra-cracking-tool" would you pay more attention to:

Apache 2.2.4
Apache 2.2.3
Apache 99999999
Apache My_Own_Personal_Version
Apache No_Version_Here_Because_I_Haven't_Updated_In_Years_And_Don't_Want_People_To_Know

I know which four I would pay more attention to. And when we're talking about SSH, which potentially allows root access instead of just "nobody:nogroup", it suddenly becomes a lot more important to keep up-to-date.

And then you have the problem that "faking" the version string (which is of course technically feasible) will pretty much break most SSH clients (PuTTY for one), because it relies on knowing the particular quirks of certain servers/versions for SSH (e.g. workarounds for bugs in old versions of OpenSSH).

Don't play at security, and especially not SSH - keep it updated or don't use it at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I stop the sshd daemon? ebenh Linux - Software 5 09-04-2004 01:06 PM
version reporting jag7720 Linux - Security 1 07-13-2004 05:42 AM
if i stop sshd joesbox Linux - Security 6 10-14-2003 01:38 PM
sshd reporting antken Linux - Networking 8 06-08-2003 10:13 AM
How to stop SSHD process???? adamrau Linux - Security 2 12-07-2001 03:12 PM


All times are GMT -5. The time now is 11:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration