LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   nmap reports incorrect version of sshd installed (https://www.linuxquestions.org/questions/linux-software-2/nmap-reports-incorrect-version-of-sshd-installed-711821/)

Rich Thomson 03-15-2009 06:16 PM

nmap reports incorrect version of sshd installed
 
I have the stock version (updated) of ssh/sshd installed on a centos 5.2 server, ssh 4.3p2. After upgrading to openssh-5.2p1 via an rpm package, and restarting sshd, the server reports sshd 5.2p1 (sshd -v and ssh -v). If I run nmap against this server, however, it reports OpenSSH 4.3. If I telnet in to this server on port 22, it comes back SSH-2.0-OpenSSH_4.3, matching what nmap is reporting.

When I do a similar upgrade of Apache (except via source), nmap correctly reports the new version of Apache, 2.2.11.

Thus, when my third party scans are performed, it appears that I have not upgraded ssh.

Must I first uninstall ssh, then install it, in order to get the correct header information returned (assuming this works)? Or is there an alternative?

Thanks - Rich

Ephracis 03-15-2009 09:19 PM

The version is inside the file "version.h" inside the source package. Too change it you need to recompile openssh and reinstall it. A tips is too change it, though. It reduces the information that attackers can gather from your server. If they know which version you have, they can better check for security holes. Changing the response can confuse automated scripts and make a lot of difference security-wise.

unSpawn 03-16-2009 04:41 AM

Quote:

Originally Posted by Ephracis (Post 3476604)
A tips is too change it, though. It reduces the information that attackers can gather from your server. If they know which version you have, they can better check for security holes. Changing the response can confuse automated scripts and make a lot of difference security-wise.

I would strongly argue against changing it because that is what you'd call "security by obscurity" (which does not enhance security at all) and OpenSSH clients rely on the right version string being supplied by the daemon. Instead invest in hardening the machine and strenghtening auditing and access controls. See http://www.linuxquestions.org/questi...tempts-340366/ for a roundup wrt SSH.

Rich Thomson 03-16-2009 09:04 AM

sshd version resolved
 
My intention was not to alter the version reported from what it actual is, but correctly report it to scans. I ended up removing ssh 4.3 and re-compiling 5.2, now it reports correctly. Thanks.

Ephracis 03-16-2009 12:27 PM

Quote:

Originally Posted by Rich Thomson (Post 3477052)
My intention was not to alter the version reported from what it actual is, but correctly report it to scans. I ended up removing ssh 4.3 and re-compiling 5.2, now it reports correctly. Thanks.

My point was that you _should_ alter it to report something else, or to not report the version number at all.

unSpawn 03-16-2009 04:45 PM

Quote:

Originally Posted by Ephracis (Post 3477315)
My point was that you _should_ alter it to report something else, or to not report the version number at all.

Ill advice, I'd say.

Ephracis 03-16-2009 05:14 PM

Quote:

Originally Posted by unSpawn (Post 3477547)
Ill advice, I'd say.

I do not see the point in that argument. Why would you want people to know the version number of the software you run anyway? Just remove all the info and at least you'll get rid of the script kiddies. Of course better hackers will be able to figure stuff out anyway but that's not the point.

I cannot see a general case in which you actually need to announce the version of the software. Please, enlighten me.

unSpawn 03-16-2009 06:12 PM

Quote:

Originally Posted by Ephracis (Post 3477578)
I cannot see a general case in which you actually need to announce the version of the software. Please, enlighten me.

I don't need to, just read http://www.openssh.com/faq.html#2.14

Ephracis 03-16-2009 06:25 PM

Quote:

Originally Posted by unSpawn (Post 3477616)
I don't need to, just read http://www.openssh.com/faq.html#2.14

I must have missed that and it totally voids any of my arguments. :P


All times are GMT -5. The time now is 11:12 AM.