Is there any benefit to spoofing SSH version string, and how do I do that?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there any benefit to spoofing SSH version string, and how do I do that?
I am trying to harden a webserver that has OpenSSH running.
Is there any benefit to spoofing the version string that is reported when running, say, nmap against the host?
If so, how do I do that? I am running Debian stable, so I would prefer to use apt-get to keep updated without needing to configure/make/make install with every security update.
I haven't had much luck with the man-pages or Google.
Thanks for any suggestions.
Steve
Last edited by Steve Cronje; 01-19-2005 at 02:24 PM.
I'd have to say that crackers pay absolutely no attention to the information being returned to them. It looks to me like they always just take a rip at the IP address just to see if it breaks. If it does, then they pay attention, but if it doesn't, its on to the next IP address. The reason I say that is that I haven't hidden the fact that I have an Apache server running on Linux, yet my logs are filled with attempts to crack into IIS. I also keep a openSSH very well patched, yet every day at least one person has a go at it, even though they should be able to see I'm running an SSH version that doesn't have any known exploits.
Personally, I think your time and effort would be better spent on other security aspects. Sending bad information back just doesn't strike me as having any deterrent value.
Originally posted by Hangdog42 I'd have to say that crackers pay absolutely no attention to the information being returned to them.
Yes, I have seen that too.
Quote:
Personally, I think your time and effort would be better spent on other security aspects. Sending bad information back just doesn't strike me as having any deterrent value.
That is true, I was just wondering if there was an easy way to add another layer. The less information given out the better. I must say, I might have phrased my initial question poorly. What I was hoping to do, was simply return, say, "SSH" in the string, rather than all the version details. If that was an easy fix, it might add a little more security.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.