On Wed, May 27, 2015 at 09:42:38AM -0400, Daniel Kahn Gillmor wrote: > Please change the defaults for the DebianBanner configuration variable > to "no" from "yes". > > It's not clear to me that the advantages of announcing the debian > version of the package that is running outweigh the additional metadata > leakage.
I've always disagreed with this, which is why the banner default is the way it is. In particular, I've generally seen very little in the way of evidence that people actually bother to select the servers they're going to attack based on the banner, rather than just scattergunning the attack across every server they can find. > An administrator capable of upgrading packages when needed (e.g. for > security updates) should have more reliable ways to learn the version of > openssh-server running on their system than a cleartext banner sent > across the network on port 22. The specific case that prompted the banner in the first place was that of a university trying to ensure that systems on its network was secure, where the central administration doesn't have direct access to upgrade packages nor any other such reliable way to determine package versions, but does have the ability to disconnect vulnerable systems if need be. Cheers, -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
