On Wed, 2015-05-27 at 15:38 +0100, Colin Watson wrote: > I've always disagreed with this, which is why the banner default is the > way it is. In particular, I've generally seen very little in the way of > evidence that people actually bother to select the servers they're going > to attack based on the banner, rather than just scattergunning the > attack across every server they can find.
From a security POV I'd tentatively agree with Colin,... DKG, do you have any stronger reasons why you'd think an attacker could take benefit of this? E.g. are there attacks which take considerable time and where knowledge whether the server was vulnerable would thus help? But... > The specific case that prompted the banner in the first place was that > of a university trying to ensure that systems on its network was secure, > where the central administration doesn't have direct access to upgrade > packages nor any other such reliable way to determine package versions, > but does have the ability to disconnect vulnerable systems if need be. Here I have to disagree with Colin. The purpose of the SSH has never been to do package management and/or Nagios-like tasks like software version reporting. If big sites want to monitor their current SSH version state they should better use the tools made for it (check_apt or whatever). The version in it is purely for protocol compatibility reasons. Thus, the DebianBanner should have never gotten in and from an engineering PoV it's not only pretty much useless but should be rather removed. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
