From owner-freebsd-security Tue Mar 27 16:45:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 0646737B718 for ; Tue, 27 Mar 2001 16:45:53 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14i45v-0005Pq-00 for security@FreeBSD.ORG; Tue, 27 Mar 2001 19:45:51 -0500 Date: Tue, 27 Mar 2001 19:45:51 -0500 From: Peter Radcliffe To: security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010327194550.A20633@pir.net> Reply-To: security@freebsd.org Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327173454.J12888@pir.net> <4.3.2.20010327173917.02803ae0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.20010327173917.02803ae0@207.227.119.2>; from jeff-ml@mountin.net on Tue, Mar 27, 2001 at 06:09:11PM -0600 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" probably said: > Argh, this can go on and on... Which shows there are two distinct opinions here, and both should be allowed for. > Presuming the first "vulnerable" needs and "un" prefix and say that this > sounds like a shell game method of hoping they don't find the vulnerable > system. Better to spend time keeping up-to-date than shuffling and hope > they don't guess the right shell or server. It's not a game or hoping, and I spend all the time needed to stay up to date but often vunerabilitiues are known in the black hat camp well before the white hats find out. I also see many scans only going for the machines with advertised vunerable versions and ignoring the ones which lie or give no version number (as I've already stated with IDS watching bind.version scans). > Chances are they will be scanning blocks of IPs and if that is the case no > slight-of-hand will hide the fact of where the vulnerable system is. This happens. The other case also happens. > All cute wording aside, there was a time when I removed the version number > from a daemon and found that the number of probes increased. Did it make > the system any more secure, no. Almost as bad as using a "honey pot" to > lure the bears away. Before they only came around now and again. Now they > come for the honey you put out. Attracting more bears may not be necessary > bad, but can increase the risk of an "incident." My direct experience disagrees with you. Machines where I remove or obscure version numbers get an order of magnitude less probes than those that have plain version numbers. The bind servers on my work class B that don't give out version numbers have NEVER been attacked. The scans for version.bind ignore them. The recent bind vunerabilities were well known before there was an available fix, and my not handing out version numbers meant the machine was not attacked before the fixes were available. > Better to spend time limiting the loss should the house be broken into than > hiding the fact there is a house there. You can't fight what you don't know. Not all vunerabilities are known or have fixes. > Obscurity is a waste of time for little benefit IMO. When it takes little effort and helps in some situations, I disagree with you. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message