Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Mar 2001 22:26:07 +0200
From:      Gerhard Sittig <Gerhard.Sittig@gmx.net>
To:        freebsd-security@freebsd.org
Subject:   Re: SSHD revelaing too much information.
Message-ID:  <20010326222607.V20830@speedy.gsinet>
In-Reply-To: <3ABF93BE.A855334@duwde.com.br>; from duwde@duwde.com.br on Mon, Mar 26, 2001 at 04:08:46PM -0300
References:  <3ABF93BE.A855334@duwde.com.br>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 26, 2001 at 16:08 -0300, Duwde (Fabio V. Dias) wrote:
> 
> I've already posted this at FreeBSD-stable@freebsd.org but it
> seems some people haven't agreed on this issue, so I'm posting
> this here, as it's security related.

I'm not sure what makes you think that -stable readers will have
a different view than -security subscribers ...

> [ ... ]
> #define SSH_VERSION	"OpenSSH_2.3.0 green@FreeBSD.org 20010321"
> [ ... this string being visible to net logins / scans ... ]

> So as SSHD is a daemon USUALLY enable to the whole internet,
> anyone can find out what OS (FreeBSD), and what SSHD *cvsuped"
> version is running. As well as if it has been fixed or NOT.

You name it.  It's *only* about the _sshd_ version.  Nothing
less.  And nothing more.

BTW:  Who said that paranoid admins (as you seem to be) still
have their daemons show an *appropriate* banner?  And who said
that attacks are run only when the banner points toward
vulnerable daemon versions?  Who said kiddies / idiots run any
banner check at all before trying any kit they have -- short of
knowing at all what's going on?  And how can you think that the
bug isn't there and doesn't get probed for just because the
banner doesn't point to it?  I really have a hard time seeing any
real advantage in obscurity ...

The most important reason for introducing this special and
discriminating version string was to enable admins to tell one
version from another.  Hiding this info doesn't buy you anything
but maybe only makes you _believe_ to be more secure (which is
even more dangerous).  While providing this info is valuable to
those who have to monitor and maintain their networks.

You are free to change the string -- as long as it fits the spec
(cited somewhere in the thread where this very extension was
discussed as well as referred to in the commit messages -- you do
read those messages when running -STABLE, don't you?).

An even better solution could(!) be if you _provide_ a change to
turn this info on/off instead of demanding others to take back
what they insert for a reason or to bend themselves only for
serving your wish for obscurity.

> So targeting attacks to unfixed SSHDs running FreeBSD would be
> made easier, as well as any other attacks in the future, 'cause
> there will be no doubt of what OS the host is running. (plus a
> good idea of its version, using the 20010321 string)

See above.  How much does this banner have to hole?  It could
even be a honeypot and dangerously to attack ...  It's really
nothing more than "a good idea".

If you're as paranoid as you look don't offer things like login
facilities (or networked services at all) "to the world by
default" ...

> Please let me know if I'm missing something...

You have gotten the same answers in the other thread:  obscurity
doesn't result in better (if any) security!


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010326222607.V20830>