On 22/02/16 18:27, Russ Allbery wrote:
> Carlos Alberto Lopez Perez writes:
>
>> Attackers usually don't start trying to probe exploit after exploit.
>
> Of course they do. That is, *by far*, the most common attacker strategy
> on the Internet. Just look at the logs of any Internet-facing serv
Carlos Alberto Lopez Perez writes:
> Attackers usually don't start trying to probe exploit after exploit.
Of course they do. That is, *by far*, the most common attacker strategy
on the Internet. Just look at the logs of any Internet-facing service.
--
Russ Allbery (r...@debian.org)
On 22/02/16 16:30, Colin Watson wrote:
> On Mon, Feb 22, 2016 at 04:19:24PM +0100, Carlos Alberto Lopez Perez wrote:
>> So, putting it into other words... The use case was actually to make
>> easier to detect vulnerable systems to anyone without access to the
>> system by inspecting the DebianBann
On Mon, Feb 22, 2016 at 04:19:24PM +0100, Carlos Alberto Lopez Perez wrote:
> So, putting it into other words... The use case was actually to make
> easier to detect vulnerable systems to anyone without access to the
> system by inspecting the DebianBanner version of the SSH servers, right?
Peopl
On 27/05/15 16:38, Colin Watson wrote:
>> An administrator capable of upgrading packages when needed (e.g. for
>> security updates) should have more reliable ways to learn the version of
>> openssh-server running on their system than a cleartext banner sent
>> across the network on port 22.
>
> Th
On Wed, May 27, 2015 at 07:33:12PM +0200, Christoph Anton Mitterer wrote:
> As I've said... I (personally) don't feel that concerned about this
> specific issue - we have other much more serious security problems in
> OpenSSH.
OK, but you took the trouble to reply to this bug to disagree in the
fi
On Wed, 2015-05-27 at 18:29 +0100, Colin Watson wrote:
> Like I say, I'm not aware of this being an issue in practice. If you
> know real details, then instead of replying to this bug with hypotheses,
> please point me at real examples.
As I've said... I (personally) don't feel that concerned abo
On Wed, May 27, 2015 at 06:59:33PM +0200, Christoph Anton Mitterer wrote:
> On Wed, 2015-05-27 at 16:58 +0100, Colin Watson wrote:
> > Nagios is fine if you're running a server farm. It's useless if your
> > purpose is to perform friendly probing of a large heterogeneous network
> > most of which
On Wed, 2015-05-27 at 16:58 +0100, Colin Watson wrote:
> Nagios is fine if you're running a server farm. It's useless if your
> purpose is to perform friendly probing of a large heterogeneous network
> most of which consists of desktop-type systems not run by professional
> sysadmins.
We have tho
I agree with dkg. In an age where we know that nation-state actors ath
the same time kill people based on metadata and target Angry Birds, we
should do all we can to minimize revealing metadata by default.
I can see no real protocol reason why the DebianBanner exists. If Sysads
want to enable
On Wed, May 27, 2015 at 05:44:02PM +0200, Christoph Anton Mitterer wrote:
> On Wed, 2015-05-27 at 15:38 +0100, Colin Watson wrote:
> > The specific case that prompted the banner in the first place was that
> > of a university trying to ensure that systems on its network was secure,
> > where the c
On Wed, 2015-05-27 at 15:38 +0100, Colin Watson wrote:
> I've always disagreed with this, which is why the banner default is the
> way it is. In particular, I've generally seen very little in the way of
> evidence that people actually bother to select the servers they're going
> to attack based o
On Wed, May 27, 2015 at 09:42:38AM -0400, Daniel Kahn Gillmor wrote:
> Please change the defaults for the DebianBanner configuration variable
> to "no" from "yes".
>
> It's not clear to me that the advantages of announcing the debian
> version of the package that is running outweigh the additional
Package: openssh-server
Version: 1:6.7p1-6
Severity: wishlist
Please change the defaults for the DebianBanner configuration variable
to "no" from "yes".
It's not clear to me that the advantages of announcing the debian
version of the package that is running outweigh the additional metadata
leakag
14 matches
Mail list logo
