From owner-freebsd-security Mon Mar 26 12:54: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 92FFB37B718 for ; Mon, 26 Mar 2001 12:54:04 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14he03-0002V0-00 for freebsd-security@FreeBSD.ORG; Mon, 26 Mar 2001 15:54:03 -0500 Date: Mon, 26 Mar 2001 15:54:02 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010326155402.A9081@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> <005f01c0b62e$9cab5980$db9497cf@singingtree.com> <5.0.2.1.0.20010326140101.00a94608@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.0.20010326140101.00a94608@pop.schulte.org>; from christopher@schulte.org on Mon, Mar 26, 2001 at 02:18:51PM -0600 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christopher Schulte probably said: > At 11:54 AM 3/26/2001 -0800, Michael A. Dickerson wrote: > >I understand the desire not to reveal any more information than is > >necessary; that's why we disable finger, daytime, etc. That's fine when you > >only have to manage one or two machines and you can easily remember what's > >running at any given time. I've scaled not giving out version information and maintaining such to hundreds of machines and really don't see this as a problem. > >In that case there's nothing stopping you from > >changing the "version" to whatever you want. Other than the fact you have to do it each time. If this was configurable other than at compile time then both sides could be happy. > >Unfortunately security-by-obscurity doesn't scale past the 1 or 2 > >boxes. If this were a democracy, I vote with the majority; please > >*don't* munge the version reported by sshd. Some people apparently want this information available, fine. Others don't. At the moment this change is not configurable other than by recompiling, something you have to remember to do each time. If it was configurable I'd turn it off and not be complaining. > Many kid scripts don't give a damn what the service banner > displays. Recent bind exploits are going to hit 4.x, 8.x, and 9.x servers > all the same. Why wouldn't they - they know some admins will have altered > the banners. And others don't even care to build in additional checks. So > they scan any and every server they can find, regardless of what version or > patch level it may report. Actually, every single bind scan across our /16 that my IDS has spotted (which is lots) has checked versions, found the few that are running vulnerable versions and attempted to attack just those. > The same applies to sshd. The 'green' banner does not attract any > more attention than it would without, IMHO. It does not make the > service any more or less secure. It gives out information that is unneeded. This goes against my security principles. Do you have a list of versions of all packages on your systems available to the net, unsecured ? It would make checking versions and administration easier, but theres no way in hell you'll find me doing that. Useful security is a balance between functionality/usability and security. Giving out this information provides no extra functionality for me and provides information to a potential attacker. > a) limit access to clients that need the service > (secureid/firewalls/tcpwrappers/whatever) Not feasable for some of my work machines. I'm working on this, but sometimes you just can't. > b) if that's not an option (public server that has clients from random > networks) then make sure you're running a known secure version. Have an > IDS in place to deal with a compromise should one actually occur. The problem is that theres no such thing as a "known secure" version. There are just versions that are not known insecure yet. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message