service version disclosure

yersinia yersinia.spiros at gmail.com
Mon Jan 9 19:22:41 UTC 2012


On Mon, Jan 9, 2012 at 5:03 PM, Przemek Klosowski <
przemek.klosowski at nist.gov> wrote:

> On 01/09/2012 09:08 AM, Matthew Garrett wrote:
>
>> On Mon, Jan 09, 2012 at 02:42:10AM +0100, Reindl Harald wrote:
>>
>>  no, maybe you should read AND try to understand
>>>
>>
>> This kind of behaviour isn't acceptable within the project. Treat your
>> fellow community members with respect. You're expected to follow the
>> Fedora Code of Conduct
>> (http://fedoraproject.org/**wiki/Community_working_group/**
>> Code_of_Conduct<http://fedoraproject.org/wiki/Community_working_group/Code_of_Conduct>
>> )
>> while using project resources.
>>
>>
> For the record, it was Ed Marshall <esm at logic.net> who wrote the quoted
> sentence. In any case, I join Matthew in asking everyone to stay excellent,
> and keep the discussion on topic and friendly in tone.
>
> Regarding the merits of hiding the SSH version, in my opinion it's
> counterproductive: the scanners might as well say "Oh, lookee here, they're
> hiding the SSH version, presumably because they don't patch, so let's try
> all the exploits".
>
> Hiding the version number or servers type (http, ftp ecc) reduces the
possibility of automated attacks (if you know which tool are mostly used
for fingerprint and how to do correctly anti-fingerprint) , which also are
part of the tools and methods used by the professional penetration
testersand ethical hacker, as i am - mostly ethical probably :=). In
the case of openssh the version number is part of the Protocol
http://www.ietf.org/rfc/rfc4253.txt (see par. 4.2), then deleting it could be
harmful. Of course there may be some false positives in the scanning phase
of a pen test (eg
http://www.nessus.org/plugins/index.php?view=single&id=11837).

But in general is it not true that this form of information hiding is not
useful at all.

For example mostly of the methodology used for penetration testing - such as
those of SANS 560 (and GIAC GPEN certification) just for an example - had
as goals of scanning phase something like :

........

determining which port are open, and we also want to verify which service
is listening and ..... the VERSION of the given application or
application-level protocol (..., HTTP, SSH)

.....
ecc.

I personally hide always the HTTP server type with something  difficult to
learn from a advanced attacker, but it is not always possibile, sure.

I doubt that organizations such as SANS can be defined as non-qualified in
their field.

Just an other opinion.

Greetings
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120109/b25c7de7/attachment.html>


More information about the devel mailing list