[ale] SSHD reports version info!?

matty91 at bellsouth.net matty91 at bellsouth.net
Thu Feb 19 14:31:35 EST 2004 

On Thu, 19 Feb 2004, Michael H. Warfield wrote:

> On Thu, Feb 19, 2004 at 02:08:29PM -0500, matty91 at bellsouth.net wrote:
> > On Thu, 19 Feb 2004, Michael H. Warfield wrote:
>
> > > On Thu, Feb 19, 2004 at 02:39:42AM -0500, Kevin Krumwiede wrote:
> > > > (I posted this to the debian-user list but it never showed up.)
> > >
> > > > When I telnet to port 22 on my 3.0r2 server, I see this:
> > >
> > > > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
> > >
> > > > Isn't that considered sensitive information?  Why advertise it so
> > > > blatantly?  Is there any way turn this banner off?
> > >
> > > 	Not really.  If you didn't, an attack can just throw a broad
> > > spectrum attack at you, no gain.  Someone scanning would spot you and
> > > just assume that you are obfuscating the information because you're too
> > > lazy to keep your software up to date and flag you for that extra special
> > > attention they like to provide from time to time, just after an exploit
> > > release.
>
> > I am not so sure I agree with this. Most of the script kiddie utilities
> > do pattern matching based on banner information. While this doesn't
> > protect you from someone with a clue, it would help you deflect
> > attacks from the ppl d/l'ing sploits on the web.
>
> 	Not a prayer.  Some do pattern matching and some will kick out
> "unusual" matches for, errr, deeper analysis.  The worms tend to be
> extremely simplistic.  Don't assume that of the attackers.

The keyword is "some" protection is gained from disabling banners. In
my mind, one deflected attack because banners are disabled makes it
worthwhile. :) Most folks d/l'ing sploits wouldn't know what to do if the
script doesn't work out of the box. I agree with you that this is a poor
practice to use to protect unpatched software. In my mind, it does have
some value.

>
> > > 	No you can not turn it off and, even if you could, you would then
> > > break ssh.  That information is not there merely for you edification.
> > > It's there to tell the client what protocols to speak.  There are
> > > several different dialects and the client needs to know what it's talking
> > > to inorder to negotiate the protocols properly.  It's the openning offer
> > > in the protocol.
>
> > Well, OpenBSD/FreeBSD have the "VersionAddendum" option. My friend
> > configures his Openssh server to report:
>
> > VersionAddendum Windows 2000 Professional Server
>
> 	Yeah, I think that just affects the mutable portion and leaves
> the protocol portion alone.  You still can't just "turn it off" and it's
> still going to identify the version of OpenSSH.
>
> > You should be able to grab these patches if you are concerned about
> > the OS information in the banner.
>
> > > 	Some of the information (Like from "Debian" to the end of line)
> > > is mutable and you could trash it.  That first openning string, however,
> > > should NOT be tampered with.
> > >
> > > > Thanks,
> > > > Krum
> > >
> > > 	Mike
> > > --
> > >  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
> > >   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
> > >   NIC whois:  MHW9      |  An optimist believes we live in the best of all
> > >  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
> > >
> >
> > Ryan Matteson - UNIX Administrator | GPG ID: 92D5DFFF
> > Public Key: http://www.daemons.net/~matty/public_key.txt
> > Fingerprint = 4BEC 6145 30A6 BCE6 5602 FF11 4954 165D 92D5 DFFF
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> --
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
>

Ryan Matteson - UNIX Administrator | GPG ID: 92D5DFFF
Public Key: http://www.daemons.net/~matty/public_key.txt
Fingerprint = 4BEC 6145 30A6 BCE6 5602 FF11 4954 165D 92D5 DFFF

More information about the Ale mailing list