From owner-freebsd-security Mon Mar 26 18:16:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id D1B5C37B719 for ; Mon, 26 Mar 2001 18:16:20 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 22414 invoked by uid 0); 27 Mar 2001 02:16:19 -0000 Received: from pd9508682.dip.t-dialin.net (HELO speedy.gsinet) (217.80.134.130) by mail.gmx.net (mail05) with SMTP; 27 Mar 2001 02:16:19 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA20470 for freebsd-security@freebsd.org; Mon, 26 Mar 2001 22:26:07 +0200 Date: Mon, 26 Mar 2001 22:26:07 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: SSHD revelaing too much information. Message-ID: <20010326222607.V20830@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <3ABF93BE.A855334@duwde.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3ABF93BE.A855334@duwde.com.br>; from duwde@duwde.com.br on Mon, Mar 26, 2001 at 04:08:46PM -0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 26, 2001 at 16:08 -0300, Duwde (Fabio V. Dias) wrote: > > I've already posted this at FreeBSD-stable@freebsd.org but it > seems some people haven't agreed on this issue, so I'm posting > this here, as it's security related. I'm not sure what makes you think that -stable readers will have a different view than -security subscribers ... > [ ... ] > #define SSH_VERSION "OpenSSH_2.3.0 green@FreeBSD.org 20010321" > [ ... this string being visible to net logins / scans ... ] > So as SSHD is a daemon USUALLY enable to the whole internet, > anyone can find out what OS (FreeBSD), and what SSHD *cvsuped" > version is running. As well as if it has been fixed or NOT. You name it. It's *only* about the _sshd_ version. Nothing less. And nothing more. BTW: Who said that paranoid admins (as you seem to be) still have their daemons show an *appropriate* banner? And who said that attacks are run only when the banner points toward vulnerable daemon versions? Who said kiddies / idiots run any banner check at all before trying any kit they have -- short of knowing at all what's going on? And how can you think that the bug isn't there and doesn't get probed for just because the banner doesn't point to it? I really have a hard time seeing any real advantage in obscurity ... The most important reason for introducing this special and discriminating version string was to enable admins to tell one version from another. Hiding this info doesn't buy you anything but maybe only makes you _believe_ to be more secure (which is even more dangerous). While providing this info is valuable to those who have to monitor and maintain their networks. You are free to change the string -- as long as it fits the spec (cited somewhere in the thread where this very extension was discussed as well as referred to in the commit messages -- you do read those messages when running -STABLE, don't you?). An even better solution could(!) be if you _provide_ a change to turn this info on/off instead of demanding others to take back what they insert for a reason or to bend themselves only for serving your wish for obscurity. > So targeting attacks to unfixed SSHDs running FreeBSD would be > made easier, as well as any other attacks in the future, 'cause > there will be no doubt of what OS the host is running. (plus a > good idea of its version, using the 20010321 string) See above. How much does this banner have to hole? It could even be a honeypot and dangerously to attack ... It's really nothing more than "a good idea". If you're as paranoid as you look don't offer things like login facilities (or networked services at all) "to the world by default" ... > Please let me know if I'm missing something... You have gotten the same answers in the other thread: obscurity doesn't result in better (if any) security! virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message