From owner-freebsd-security  Mon Mar 26 12:19:46 2001
Delivered-To: freebsd-security@freebsd.org
Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197])
	by hub.freebsd.org (Postfix) with ESMTP id 7E9A037B71B
	for <freebsd-security@FreeBSD.ORG>; Mon, 26 Mar 2001 12:19:43 -0800 (PST)
	(envelope-from christopher@schulte.org)
Received: from schulte-laptop.schulte.org (nb-105.netbriefings.com [204.72.185.105])
	by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id OAA30214;
	Mon, 26 Mar 2001 14:19:11 -0600 (CST)
	(envelope-from christopher@schulte.org)
Message-Id: <5.0.2.1.0.20010326140101.00a94608@pop.schulte.org>
X-Sender: schulte@pop.schulte.org
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Mon, 26 Mar 2001 14:18:51 -0600
To: "Michael A. Dickerson" <mikey@singingtree.com>,
	"\"Duwde (Fabio V. Dias)\"" <duwde@duwde.com.br>
From: Christopher Schulte <christopher@schulte.org>
Subject: Re: SSHD revelaing too much information.
Cc: <freebsd-security@FreeBSD.ORG>
In-Reply-To: <005f01c0b62e$9cab5980$db9497cf@singingtree.com>
References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 11:54 AM 3/26/2001 -0800, Michael A. Dickerson wrote:
>I understand the desire not to reveal any more information than is
>necessary; that's why we disable finger, daytime, etc.  That's fine when you
>only have to manage one or two machines and you can easily remember what's
>running at any given time.  In that case there's nothing stopping you from
>changing the "version" to whatever you want.  Unfortunately
>security-by-obscurity doesn't scale past the 1 or 2 boxes.  If this were a
>democracy, I vote with the majority; please *don't* munge the version
>reported by sshd.

Yet another point which I don't believe was mentioned.... just a word of 
common sense re: security by obscurity.

Many kid scripts don't give a damn what the service banner 
displays.  Recent bind exploits are going to hit 4.x, 8.x, and 9.x servers 
all the same.  Why wouldn't they - they know some admins will have altered 
the banners.  And others don't even care to build in additional checks.  So 
they scan any and every server they can find, regardless of what version or 
patch level it may report.  The same applies to sshd.  The 'green' banner 
does not attract any more attention than it would without, IMHO.  It does 
not make the service any more or less secure.

As an admin you can:

a) limit access to clients that need the service 
(secureid/firewalls/tcpwrappers/whatever)
b) if that's not an option (public server that has clients from random 
networks) then make sure you're running a known secure version.  Have an 
IDS in place to deal with a compromise should one actually occur.

>M.D.

--chris


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message