Re: SSHD revelaing too much information.

From: Christopher Schulte (christopher@schulte.org)
Date: 03/26/01 

Date: Mon, 26 Mar 2001 14:18:51 -0600
To: "Michael A. Dickerson" <mikey@singingtree.com>, "\"Duwde (Fabio V. Dias)\"" <duwde@duwde.com.br>
From: Christopher Schulte <christopher@schulte.org>

At 11:54 AM 3/26/2001 -0800, Michael A. Dickerson wrote:
>I understand the desire not to reveal any more information than is
>necessary; that's why we disable finger, daytime, etc. That's fine when you
>only have to manage one or two machines and you can easily remember what's
>running at any given time. In that case there's nothing stopping you from
>changing the "version" to whatever you want. Unfortunately
>security-by-obscurity doesn't scale past the 1 or 2 boxes. If this were a
>democracy, I vote with the majority; please *don't* munge the version
>reported by sshd.

Yet another point which I don't believe was mentioned.... just a word of
common sense re: security by obscurity.

Many kid scripts don't give a damn what the service banner
displays. Recent bind exploits are going to hit 4.x, 8.x, and 9.x servers
all the same. Why wouldn't they - they know some admins will have altered
the banners. And others don't even care to build in additional checks. So
they scan any and every server they can find, regardless of what version or
patch level it may report. The same applies to sshd. The 'green' banner
does not attract any more attention than it would without, IMHO. It does
not make the service any more or less secure.

As an admin you can:

a) limit access to clients that need the service
(secureid/firewalls/tcpwrappers/whatever)
b) if that's not an option (public server that has clients from random
networks) then make sure you're running a known secure version. Have an
IDS in place to deal with a compromise should one actually occur.

>M.D.

--chris

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Quantcast