Date: Sun, 25 Mar 2001 03:28:36 -0300 From: "Duwde (Fabio V. Dias)" <duwde@duwde.com.br> To: "Jason C. Wells" <jcwells@highperformance.net> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: sshd revealing too much stuff. Message-ID: <3ABD9014.E78871BC@duwde.com.br> References: <Pine.BSF.4.21.0103232116280.8531-100000@server.highperformance.net>
next in thread | previous in thread | raw e-mail | index | archive | help
There is little sense to post this back, anyway I want to make things clear. It's really incredible how a few people can laught on something they don't understand. Please try to understand what I'm saying.... > This super secret place wouldn't happen to be: > Received: from astral.isec.com.br (astral.isec.com.br [200.254.79.62]) No, there is no secret whatsoever, And yes, we all know that you can read mail headers, what's the big deal ? All machines running latest stable will show this behavior (including my own server). I never tryed to hide anything. > Which also happens to a be a webserver, mail server, and name server. Nice, it seems you can run nmap. > Well... is this a fingerprint? > X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-BETA i386) NO !! YOU'RE 110% WRONG !! Just for your information, THIS ISN'T the server above. It's another machine, the server above isn't running Xfree, nor Netscape. > Mr. Kennaway was right. It was pretty trivial to fingerprint a system on > the net. As you can see, you were UNABLE to fingerprint the system above, as you've identified the OS version using the Mail header that came from ANOTHER machine. *(my personal one)*, I sent trough a SSH redirect tunnel (that's why you TOUGHT it was coming from localhost). If it were localhost, it probabily would be injected directly (no localhost connectiong needed). Don't comment on what you can't understand. Btw the question I started isn't when you can use any KNOWN fingerprint technique to identify the OS, that's easy to do trough many ways, the question is that when they added "green@FreeBSD.org 200103021" to the SSH_VERSION, and as sshd is as server USUALLY allowed to the whole internet, they are allowing ANYONE to know the EXACT OpenSSH version + Freebsd.mods just connecting to the sshd port. Pretty easier than any known fingerprint method I know. (Except your wrong way to identify things, trough mails hahah) As someone has already stated on this list after my first post, it's used to IDENTIFY which SSHDs are FIXED against the latest bugs. So we're making life easier to possible attackers. They can EASILY know (without using any advanced fingerprint technology) that i'm using FreeBSD, and the exact version of SSHD i'm running (fixed one, btw). So if you server doesn't have the new "tag", you're vulnerable. Sounds good for you ? I don't think this is a good aproach. Nor does many people on the net thinking about security. And no, this ISN'T security by obscurity, I just don't like to let anyone know more than they need. If you don't care, I don't mind. Btw, This is my last post on this issue. -- Fabio Vilan Dias / Duwde <duwde@duwde.com.br> PGP key @ http://www.duwde.com.br/duwdepgp.asc FP = BB35 50F2 7F83 655D 6B11 F0A2 F8E2 FF3D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ABD9014.E78871BC>