Hi there!
Well that is the question, how the hell can I hide OpenSSH version? I searched on OpenSSH documentation and Googled a hours, and I found nothing yet. That's what I want to hide, scanning with nmap for exemple gets that :

22/tcp open ssh OpenSSH 3.9p1 (protocol 2.0)

Somebody know how to hide it ?

Greets,

N*

1) Why would you need to? What do you think this will achieve?

2) Nmap is getting this information (I should think) from the way the software behaves, not it's version number. In much the same way that it differentiates between Linux 2.4 and 2.6 TCP/IP stacks... by passive analysis of how the software operates. That's not something that's going to be easy to change, short of rewriting the methods that OpenSSH uses and even then, I refer you back to 1).

By showing the software version and name it's much easier for crackers to know their target, and potential bugs available to them. Masking it makes it that much harder.

Exactly, for exemple, "nmap -p22 -sV 216.109.*.*" | grep OpenSSH-vunl-version" and I will be hunted if my openssh is vulnerable.

N*

Whatever you want to do.

This is the oft-mentioned "security through obscurity", often stated as "no security at all". Having no version number will not stop people from trying out known exploits on your OpenSSH. In fact, you will find that with no version number people will try EVERY exploit for EVERY version instead.

If you hide your version number, it says to me that you don't want people to know what version it is because it might not be the most up-to-date. That's ten times worse. Instead, running a known-secure version is a much better idea, limiting it's access to known IP's, using public-key encrypyion etc. will save you much more time and worry than trying to obscure the fact that you are running an insecure version.

I know of no way to hide the OpenSSH version short of patching the source (and I don't even know if that will work... again I think there are heuristics involved, not just a simple version number string, i.e. nmap is looking for the way OpenSSH responds to certain commands, etc. and completely ignores what version number it's actually reporting) and I don't see what it would achieve to do so. I feel that it's more likely to attract MORE attention that you are hiding version strings because that would suggest that they might be vulnerable versions.

You are opening a door to the world by running SSH... at least have a decent bouncer on a locked door rather than a sign that says "Access denied" on an unlocked door.

From the www.openssh.com faq, quote:
2.14 - Why does OpenSSH report its version to clients?

OpenSSH, like most SSH implementations, reports its name and version to clients when they connect, e.g.

SSH-2.0-OpenSSH_3.9

This information is used by clients and servers to enable protocol compatibility tweaks to work around changed, buggy or missing features in the implementation they are talking to. This protocol feature checking is still required at present because the SSH protocol has not been yet published as a RFC and more incompatible changes may be made before this happens.

If you really want the hide version feature for ssh,
there are only 2 options :
- hack the sources
- buy the commercial version of ssh

[edit]
as davidsrsb said, the version number is required anyway
see http://www.free.lp.se/fish/rfc.txt

Alright, many thanks, I think that I won't hide the version if it's required, I don't want to have problems

Regards,

C-

Also do no take the big guns
That should be enough