Date: Mon, 26 Mar 2001 13:32:25 -0800 From: "Jeremiah Gowdy" <data@irev.net> To: "Nate Williams" <nate@yogotech.com>, "Michael A. Dickerson" <mikey@singingtree.com> Cc: "\"Duwde (Fabio V. Dias)\"" <duwde@duwde.com.br>, <freebsd-security@FreeBSD.ORG> Subject: Re: SSHD revelaing too much information. Message-ID: <001301c0b63c$40120670$035778d8@sherline.net> References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw><005f01c0b62e$9cab5980$db9497cf@singingtree.com> <15039.44653.624089.289615@nomad.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Uh, Kris Kennaway was the first to respond to you on -stable, and the first > > to disagree that this is a problem. He *is* the FreeBSD Security Officer. > > That doesn't make him right. Yeah I don't like that trend of thought. Kris Kennaway seems to be a knowledgable guy, and yes he *is* the security officer, but that doesn't invalidate other people's opinions. If we had a magic team of people who were magically right all the time, FreeBSD wouldn't need public/user contributions. In a discussion like this, unless you're talking about authority on a subject, I don't think the title of the people has as much to do with the techinical side of the argument. I'm sure Kris would agree that everyone makes mistakes and him being the security officer doesn't make him more right than other people. He just has the last word. There's a difference. > > As others pointed out, it is trivial to determine the OS of a remote host. > > Not necessarily. And, a good rule of security is to never reveal > information unless you have to. Don't go out of your way to stop folks > from figuring out your OS. Make them work for out. > Although OSes can be fingerprinted, some are harder to guess than others. Especially in the case of open source operating systems, I wouldn't say it's trivial to determine the OS of a remote host if the admin doesn't want people to know. Even a crappy little Sonic Firwall will confuse nmap's OS fingerprinting in my experience. OS fingerprinting is not fool proof, and is pretty trivial to trick. > > As others pointed out, it is extremely useful for the legitimate > > administrator of a system to be able to query the version of various > > services remotely. > > I disagree. Anyone who administers a small number of machines can keep > track of it, and anyone who has alot of machines won't trust the remote > information. This is a specious argument. I agree completely. "query versions of various services remotely" ? How about, "Alex, can I have 'First step for a script kiddie' for $200 please ?" > > You may even have a legitimate reason to audit the > > services on machines you don't have an account on. Suppose you're > > responsible for an academic network, where people can run anything they > > want. > > Again, you're giving information to the crackers for free. Make them > work for out. You're going to audit services on machines you don't have an account on ? Either you're the admin or you aren't. You can't be responsible for service level security on servers you don't even have a basic account on. That's foolish. Making information public so that you can exclude the security admin from having an account is bass ackwards. > Security is ALL about having useful information, and denying as much > information from your attacker is a great strategy. It can't be the > only strategy, but it's a good first cut. > > > Nate > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001301c0b63c$40120670$035778d8>