Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-15-2007, 05:57 AM
|
#1
|
Member
Registered: May 2002
Location: Thorverton, Near Exeter, Devon, England
Distribution: Ubuntu 10.04 (used to be Red Hat 7.1, then Red Hat 9, then FC 2, FC 5, FC 6, FC 9 and Ubuntu 8.04)
Posts: 105
Rep:
|
Stop SSHD reporting its Local version string
How can I get sshd to stop reporting its Local version string when someone tries to connect using telnet? At the moment, if you try this:
$ telnet serveraddress 22
then SSHD responds with something like:
SSH-2.0-OpenSSH_3.9p1
Protocol mismatch.
Connection to host lost.
$
This is security weakness because it reveals the version of ssh that is running. I would like to have sshd not reveal its version. Is this possible without any recompiling needed?
|
|
|
06-15-2007, 08:10 AM
|
#2
|
Member
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549
Rep:
|
sshd will always report its version number, it is necessary for the clients to connect. There is no way to disable this.
|
|
|
06-15-2007, 08:24 AM
|
#3
|
Member
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241
Rep:
|
And for the one-millionth time... this isn't a "security risk".
What IS a security risk is not running the latest version of SSH. Anything else is just skirting the issue (i.e. not being up-to-date but "pretending" that you are... it won't fool anybody but yourself).
Most attackers, when faced with a particular server they wish to attack, will of course see the version number. However, absence of a version number, one that isn't valid or one that isn't the very latest is an indication that the server administrator probably ISN'T running the latest version and therefore it's worth trying EVERYTHING that works for ANY version.
And additionally, most tools of the kind that would attack ignore things like reported version strings and either a) blindly try everything on every server they find or b) use heuristics to "guess" what the real version is or whether it's vulnerable (you can't really do this for SSH because nobody has really bothered to make a comprehensive tool because of the "you can't disable the version string" code - which means that any SSH attacks will blindly attack anyway).
If anything, this draws attention to you, rather than puts people off. Seriously... which of these reports on your "ultra-cracking-tool" would you pay more attention to:
Apache 2.2.4
Apache 2.2.3
Apache 99999999
Apache My_Own_Personal_Version
Apache No_Version_Here_Because_I_Haven't_Updated_In_Years_And_Don't_Want_People_To_Know
I know which four I would pay more attention to. And when we're talking about SSH, which potentially allows root access instead of just "nobody:nogroup", it suddenly becomes a lot more important to keep up-to-date.
And then you have the problem that "faking" the version string (which is of course technically feasible) will pretty much break most SSH clients (PuTTY for one), because it relies on knowing the particular quirks of certain servers/versions for SSH (e.g. workarounds for bugs in old versions of OpenSSH).
Don't play at security, and especially not SSH - keep it updated or don't use it at all.
|
|
|
All times are GMT -5. The time now is 03:20 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|