On Fri, 26 Sep 2003, Vincent wrote:
> You're already in pretty deep shit if you're worried
about someone
> exploiting your SSH services and they get to see the banner. This means
> you haven't firewalled away the port or put in TCP Wrappers for it.
Yeah I only have a selected few with SSH access so access is pinched with those
but there are times when I'll be moving to a machine the host address is not
known untill I get there. So open for all happens sometimes. There are a few
things I can do to side step this but Its not completly written yet.
Right, of course people need login servers and such which are open.
However, you will keep special attention to those boxes, keep them
up-to-date, even more so than other "protected" servers.
So, if your SSH version is always up-to-date, it doesn't give attackers
anything even if you release the release number.
> Banners are used to enable bug workarounds for broken versions,
so they're
> pretty useful.. :-)
>
> There is an option in OpenSSH so you can set the Version string yourself
> if you want, btw.
If you mean setting the banner in sshd config that wont work. it is more like
an MOTD. if you netcat to 22 it will still spit everything out same as before.
If you ment something else, let me know. I'd like to try it out.
Sorry, it seems I was misremembering this. Someone must have proposed it
but it had been rejected. I thought you could forge the version number
completely with a config option.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings