LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-15-2009, 07:16 PM   #1
Rich Thomson
LQ Newbie
 
Registered: Mar 2006
Location: San Diego
Distribution: fedora 5-15, centos 5.x,Knoppix ,openSuse
Posts: 9

Rep: Reputation: 0
nmap reports incorrect version of sshd installed


I have the stock version (updated) of ssh/sshd installed on a centos 5.2 server, ssh 4.3p2. After upgrading to openssh-5.2p1 via an rpm package, and restarting sshd, the server reports sshd 5.2p1 (sshd -v and ssh -v). If I run nmap against this server, however, it reports OpenSSH 4.3. If I telnet in to this server on port 22, it comes back SSH-2.0-OpenSSH_4.3, matching what nmap is reporting.

When I do a similar upgrade of Apache (except via source), nmap correctly reports the new version of Apache, 2.2.11.

Thus, when my third party scans are performed, it appears that I have not upgraded ssh.

Must I first uninstall ssh, then install it, in order to get the correct header information returned (assuming this works)? Or is there an alternative?

Thanks - Rich
 
Old 03-15-2009, 10:19 PM   #2
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
The version is inside the file "version.h" inside the source package. Too change it you need to recompile openssh and reinstall it. A tips is too change it, though. It reduces the information that attackers can gather from your server. If they know which version you have, they can better check for security holes. Changing the response can confuse automated scripts and make a lot of difference security-wise.
 
Old 03-16-2009, 05:41 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by Ephracis View Post
A tips is too change it, though. It reduces the information that attackers can gather from your server. If they know which version you have, they can better check for security holes. Changing the response can confuse automated scripts and make a lot of difference security-wise.
I would strongly argue against changing it because that is what you'd call "security by obscurity" (which does not enhance security at all) and OpenSSH clients rely on the right version string being supplied by the daemon. Instead invest in hardening the machine and strenghtening auditing and access controls. See http://www.linuxquestions.org/questi...tempts-340366/ for a roundup wrt SSH.
 
Old 03-16-2009, 10:04 AM   #4
Rich Thomson
LQ Newbie
 
Registered: Mar 2006
Location: San Diego
Distribution: fedora 5-15, centos 5.x,Knoppix ,openSuse
Posts: 9

Original Poster
Rep: Reputation: 0
sshd version resolved

My intention was not to alter the version reported from what it actual is, but correctly report it to scans. I ended up removing ssh 4.3 and re-compiling 5.2, now it reports correctly. Thanks.
 
Old 03-16-2009, 01:27 PM   #5
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
Quote:
Originally Posted by Rich Thomson View Post
My intention was not to alter the version reported from what it actual is, but correctly report it to scans. I ended up removing ssh 4.3 and re-compiling 5.2, now it reports correctly. Thanks.
My point was that you _should_ alter it to report something else, or to not report the version number at all.
 
Old 03-16-2009, 05:45 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by Ephracis View Post
My point was that you _should_ alter it to report something else, or to not report the version number at all.
Ill advice, I'd say.
 
Old 03-16-2009, 06:14 PM   #7
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
Quote:
Originally Posted by unSpawn View Post
Ill advice, I'd say.
I do not see the point in that argument. Why would you want people to know the version number of the software you run anyway? Just remove all the info and at least you'll get rid of the script kiddies. Of course better hackers will be able to figure stuff out anyway but that's not the point.

I cannot see a general case in which you actually need to announce the version of the software. Please, enlighten me.
 
Old 03-16-2009, 07:12 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by Ephracis View Post
I cannot see a general case in which you actually need to announce the version of the software. Please, enlighten me.
I don't need to, just read http://www.openssh.com/faq.html#2.14
 
Old 03-16-2009, 07:25 PM   #9
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
Quote:
Originally Posted by unSpawn View Post
I don't need to, just read http://www.openssh.com/faq.html#2.14
I must have missed that and it totally voids any of my arguments. :P
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
nmap reports 5190/tcp to be open GSMD Linux - Networking 2 08-20-2008 04:57 PM
Scaling reports incorrect number of steps. xpromisex Linux - Laptop and Netbook 7 08-01-2006 11:37 PM
Tweek-Test Reports Incorrect MTU Lnx805 Linux - Networking 1 11-27-2005 11:22 AM
nmap reports port 21 (ftp) open - how to close it? shazam75 Linux - Security 3 09-23-2005 08:13 PM
SNMP Reports Incorrect Speed meshcurrent Linux - Networking 1 02-11-2004 09:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration