On Mon, Jan 9, 2012 at 5:03 PM, Przemek Klosowski <przemek.klosowski@nist.gov> wrote:

On 01/09/2012 09:08 AM, Matthew Garrett wrote:

On Mon, Jan 09, 2012 at 02:42:10AM +0100, Reindl Harald wrote:

no, maybe you should read AND try to understand

This kind of behaviour isn't acceptable within the project. Treat your
fellow community members with respect. You're expected to follow the
Fedora Code of Conduct
(http://fedoraproject.org/wiki/Community_working_group/Code_of_Conduct)
while using project resources.

For the record, it was Ed Marshall <esm@logic.net> who wrote the quoted sentence. In any case, I join Matthew in asking everyone to stay excellent, and keep the discussion on topic and friendly in tone.

Regarding the merits of hiding the SSH version, in my opinion it's counterproductive: the scanners might as well say "Oh, lookee here, they're hiding the SSH version, presumably because they don't patch, so let's try all the exploits".

Hiding the version number or servers type (http, ftp ecc) reduces the possibility of automated attacks (if you know which tool are mostly used for fingerprint and how to do correctly anti-fingerprint) , which also are part of the tools and methods used by the professional penetration testers and ethical hacker, as i am - mostly ethical probably :=). In the case of openssh the version number is part of the Protocol http://www.ietf.org/rfc/rfc4253.txt (see par. 4.2), then deleting it could be harmful. Of course there may be some false positives in the scanning phase of a pen test (eg http://www.nessus.org/plugins/index.php?view=single&id=11837).

But in general is it not true that this form of information hiding is not useful at all.

For example mostly of the methodology used for penetration testing - such as those of SANS 560 (and GIAC GPEN certification) just for an example - had as goals of scanning phase something like :

........

determining which port are open, and we also want to verify which service is listening and ..... the VERSION of the given application or application-level protocol (..., HTTP, SSH)

.....
ecc.

I personally hide always the HTTP server type with something difficult to learn from a advanced attacker, but it is not always possibile, sure.

I doubt that organizations such as SANS can be defined as non-qualified in their field.

Just an other opinion.

Greetings