From owner-freebsd-questions Sun Sep 12 13:21:11 1999 Delivered-To: freebsd-questions@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id A7D1814CBE; Sun, 12 Sep 1999 13:20:56 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id PAA13724; Sun, 12 Sep 1999 15:20:52 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-176.tnt1.rac.cyberlynk.net(209.224.182.176) by peak.mountin.net via smap (V1.3) id sma013721; Sun Sep 12 15:20:23 1999 Message-Id: <3.0.3.32.19990912151948.01d36380@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 12 Sep 1999 15:19:48 -0500 To: patmac@demon.net, freebsd-questions@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: How to prevent motd including os info Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199909111127.MAA00229@gti.noc.demon.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 12:27 PM 9/11/99 +0100, Patrick MacKeown wrote: [leaving -questions, not subscribed] >Hi > >Please would somebody tell me how to prevent motd including the OS version >and the kernel name. On my 3.2 box editing the lines out of /etc/motd just >leads to them being replaced Before this thread gets any more ridiculous... Are you allowing users to telnet or ssh in in the first place? Or if you allow ftp, the version is a clue. If so, then what's to stop them from doing a 'uname' among other things. Security through obscurity should be the subject here, at least until you mention that you *are* not allowing logins. Otherwise.... As for the question, make sure that you don't have 'update_motd="YES"' in /etc/rc.conf (or horror of horrors if do this in /etc/defaults/rc.conf). Edit the file as you like and don't clobber it when you update /etc/ after a build. FWIW, only first 2 lines after left in motd. The rest is just noise for when others login. Don't give a rat's @$$ if they know what the system is, since I'm allowing them on it anyways. And for those that can't login. Adding '-h' to telnet in inetd is a good idea, editing the outputs of the daemons listening to other ports is even better, but even then it is still possible to guess. Then again as well, one can just try an exploit, so you spent a lot of time for nothing. my .02 Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message