Date: Mon, 26 Mar 2001 14:18:51 -0600 From: Christopher Schulte <christopher@schulte.org> To: "Michael A. Dickerson" <mikey@singingtree.com>, "\"Duwde (Fabio V. Dias)\"" <duwde@duwde.com.br> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: SSHD revelaing too much information. Message-ID: <5.0.2.1.0.20010326140101.00a94608@pop.schulte.org> In-Reply-To: <005f01c0b62e$9cab5980$db9497cf@singingtree.com> References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:54 AM 3/26/2001 -0800, Michael A. Dickerson wrote: >I understand the desire not to reveal any more information than is >necessary; that's why we disable finger, daytime, etc. That's fine when you >only have to manage one or two machines and you can easily remember what's >running at any given time. In that case there's nothing stopping you from >changing the "version" to whatever you want. Unfortunately >security-by-obscurity doesn't scale past the 1 or 2 boxes. If this were a >democracy, I vote with the majority; please *don't* munge the version >reported by sshd. Yet another point which I don't believe was mentioned.... just a word of common sense re: security by obscurity. Many kid scripts don't give a damn what the service banner displays. Recent bind exploits are going to hit 4.x, 8.x, and 9.x servers all the same. Why wouldn't they - they know some admins will have altered the banners. And others don't even care to build in additional checks. So they scan any and every server they can find, regardless of what version or patch level it may report. The same applies to sshd. The 'green' banner does not attract any more attention than it would without, IMHO. It does not make the service any more or less secure. As an admin you can: a) limit access to clients that need the service (secureid/firewalls/tcpwrappers/whatever) b) if that's not an option (public server that has clients from random networks) then make sure you're running a known secure version. Have an IDS in place to deal with a compromise should one actually occur. >M.D. --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.0.20010326140101.00a94608>