On Tue, Feb 17, 2004 at 12:36:53AM -0500, Kevin Krumwiede wrote: > When I telnet to port 22 on my 3.0r2 server, I see this: > > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 > > Isn't that considered sensitive information?
No, it's not sensitive information. Anyone trying to attack you is unlikely to bother to look at the version string first; they'll just try the attack and see if it works, which takes much less time and effort. Hiding the banner gains you little of value compared to what it loses people trying to interoperate with you. I'm firmly of the opinion that software should advertise its version number to aid debugging in all kinds of circumstances. If there's a security flaw, *that's* what you need to fix, not try to hide behide obscurity. If I were an attacker, I might well attack the people with the least version information first on the basis that they were obviously trying to hide some problem: they certainly wouldn't have any magical immunity. > Why advertise it so blatantly? Because it's useful for network managers who do "friendly probing" to make sure all the sshd installations on their network have the known security holes fixed. (This is real life: the University of Cambridge Computing Service does this, for instance, and the Debian additions mean that they don't have to hassle all the users of Debian stable in cam.ac.uk about the vulnerabilities in OpenSSH 3.4p1 that Debian has fixed.) In addition, the "SSH-2.0-OpenSSH_3.4p1" banner is a required part of the protocol, and is used by the client to detect known bugs in the server and apply workarounds where possible. The Debian additions to this advertise improvements in the form of patches for known vulnerabilities. > Can I turn this banner off? Not completely: see above. You can remove the Debian-specific information by rebuilding openssh from source (it's near the top of debian/rules, and fairly obvious), but you have nothing to gain by doing so. Always think about what attacks you're trying to defend against. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
