SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi there!
Well that is the question, how the hell can I hide OpenSSH version? I searched on OpenSSH documentation and Googled a hours, and I found nothing yet. That's what I want to hide, scanning with nmap for exemple gets that :
1) Why would you need to? What do you think this will achieve?
2) Nmap is getting this information (I should think) from the way the software behaves, not it's version number. In much the same way that it differentiates between Linux 2.4 and 2.6 TCP/IP stacks... by passive analysis of how the software operates. That's not something that's going to be easy to change, short of rewriting the methods that OpenSSH uses and even then, I refer you back to 1).
By showing the software version and name it's much easier for crackers to know their target, and potential bugs available to them. Masking it makes it that much harder.
By showing the software version and name it's much easier for crackers to know their target, and potential bugs available to them. Masking it makes it that much harder.
Exactly, for exemple, "nmap -p22 -sV 216.109.*.*" | grep OpenSSH-vunl-version" and I will be hunted if my openssh is vulnerable.
This is the oft-mentioned "security through obscurity", often stated as "no security at all". Having no version number will not stop people from trying out known exploits on your OpenSSH. In fact, you will find that with no version number people will try EVERY exploit for EVERY version instead.
If you hide your version number, it says to me that you don't want people to know what version it is because it might not be the most up-to-date. That's ten times worse. Instead, running a known-secure version is a much better idea, limiting it's access to known IP's, using public-key encrypyion etc. will save you much more time and worry than trying to obscure the fact that you are running an insecure version.
I know of no way to hide the OpenSSH version short of patching the source (and I don't even know if that will work... again I think there are heuristics involved, not just a simple version number string, i.e. nmap is looking for the way OpenSSH responds to certain commands, etc. and completely ignores what version number it's actually reporting) and I don't see what it would achieve to do so. I feel that it's more likely to attract MORE attention that you are hiding version strings because that would suggest that they might be vulnerable versions.
You are opening a door to the world by running SSH... at least have a decent bouncer on a locked door rather than a sign that says "Access denied" on an unlocked door.
From the www.openssh.com faq, quote:
2.14 - Why does OpenSSH report its version to clients?
OpenSSH, like most SSH implementations, reports its name and version to clients when they connect, e.g.
SSH-2.0-OpenSSH_3.9
This information is used by clients and servers to enable protocol compatibility tweaks to work around changed, buggy or missing features in the implementation they are talking to. This protocol feature checking is still required at present because the SSH protocol has not been yet published as a RFC and more incompatible changes may be made before this happens.
If you really want the hide version feature for ssh,
there are only 2 options :
- hack the sources
- buy the commercial version of ssh
[edit]
as davidsrsb said, the version number is required anyway
Quote:
When the client connects the server, the server accepts the connec-
tion and responds by sending back its version identification string.
The client parses the server's identification, and sends its own
identification. The purpose of the identification strings is to
validate that the connection was to the correct port, declare the
protocol version number used, and to declare the software version
used on each side (for debugging purposes). The identification
strings are human-readable. If either side fails to understand or
support the other side's version, it closes the connection.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.