<div class="gmail_quote">On Mon, Jan 9, 2012 at 5:03 PM, Przemek Klosowski <span dir="ltr"><<a href="mailto:przemek.klosowski@nist.gov">przemek.klosowski@nist.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im">On 01/09/2012 09:08 AM, Matthew Garrett wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On Mon, Jan 09, 2012 at 02:42:10AM +0100, Reindl Harald wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
no, maybe you should read AND try to understand<br>
</blockquote>
<br>
This kind of behaviour isn't acceptable within the project. Treat your<br>
fellow community members with respect. You're expected to follow the<br>
Fedora Code of Conduct<br>
(<a href="http://fedoraproject.org/wiki/Community_working_group/Code_of_Conduct" target="_blank">http://fedoraproject.org/<u></u>wiki/Community_working_group/<u></u>Code_of_Conduct</a>)<br>
while using project resources.<br>
<br>
</blockquote>
<br></div>
For the record, it was Ed Marshall <<a href="mailto:esm@logic.net" target="_blank">esm@logic.net</a>> who wrote the quoted sentence. In any case, I join Matthew in asking everyone to stay excellent, and keep the discussion on topic and friendly in tone.<br>
<br>
Regarding the merits of hiding the SSH version, in my opinion it's counterproductive: the scanners might as well say "Oh, lookee here, they're hiding the SSH version, presumably because they don't patch, so let's try all the exploits".<br>
<br></blockquote><div><span id="result_box" class="" lang="en"><span class="hps">Hiding</span> <span class="hps">the version number</span> <span class="hps">or </span><span class="hps">servers</span> <span class="hps">type (http, ftp ecc) reduces the possibility of</span> <span class="hps">automated attacks</span><span> (if you know which tool are mostly used for fingerprint and how to do correctly anti-fingerprint) ,</span> <span class="hps">which also</span> <span class="hps">are part</span> <span class="hps">of the tools and</span> <span class="hps">methods</span> <span class="hps">used by</span> the professional <span class="hps">penetration testers</span><span> and ethical hacker, as i am - mostly ethical probably :=).</span> <span class="hps">In the case</span> <span class="hps">of openssh</span> <span class="hps">the version number</span> <span class="hps">is part</span> <span class="hps">of the Protocol</span> <span class="hps"><a href="http://www.ietf.org/rfc/rfc4253.txt">http://www.ietf.org/rfc/rfc4253.txt</a></span> <span class="hps atn">(</span><span>see</span> <span class="hps">par.</span> <span class="hps">4.2), then</span> <span class="hps">deleting it</span> <span class="hps">could</span> <span class="hps">be harmful</span><span>.</span> <span class="hps">Of course</span> <span class="hps">there may be</span> <span class="hps">some false positives</span> <span class="hps">in the scanning phase of a pen test</span><span class="hps"></span><span class="hps atn"> (</span><span>eg</span> <span class="hps"><a href="http://www.nessus.org/plugins/index.php?view=single&id=11837">http://www.nessus.org/plugins/index.php?view=single&id=11837</a></span><span>)</span><span>.</span><br>
<br>But in general is it not true that this form of information hiding is not useful at all.<br><br></span><span id="result_box" class="" lang="en"><span class="hps">For example mostly of the methodology used for</span> <span class="hps">penetration testing</span> <span class="hps">-</span> <span class="hps">such</span> <span class="hps">as those</span> <span class="hps">of</span> <span class="hps">SANS</span> <span class="hps">560 (and GIAC GPEN certification) just for an example - </span></span>had as goals of scanning phase something like :<br>
<br>........<br><br>determining which port are open, and we also want to verify which service is listening and ..... the VERSION of the given application or application-level protocol (..., HTTP, SSH)<br><br>.....<br>ecc. <br>
<span id="result_box" class="" lang="en"><br>I personally hide always the HTTP server type with something difficult to learn from a advanced attacker, but it is not always possibile, sure.<br><br></span><span id="result_box" class="" lang="en"><span class="hps">I doubt that</span> <span class="hps">organizations such as</span> <span class="hps">SANS</span> <span class="hps">can be defined</span> <span class="hps atn">as non-</span><span class="">qualified</span> <span class="hps">in their field</span><span class="">.<br>
<br>Just an other opinion.<br><br>Greetings<br></span></span><span id="result_box" class="" lang="en"><span class="hps"></span></span></div></div><br>