Mailing List Archive

ssh question
Hi

I'm curious if there is a gentoo way to disable my ssh daemon from
advertising the SSH version and OpenSSH version, like this:

$ telnet pizza 22
Trying 192.168.0.15...
Connected to pizza.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.9p1
^]
telnet> q
Connection closed.

Or could this removal cause havoc to my ssh/scp/sftp connectivity?

Just thinking that if I move my ssh port to be 10022 to have it in a
non-standard port, this doesn't help me at all as even script kiddies
can locate the non-standard port if they just do a wide enough port scan
and with enough patience so that port scanning isn't detected by other
active security measures.

This would at least slow down the security hole testing of the attacker
as they know that something is there, but not necessarily the version of
it. A colleague suggested to recompile my openssh after having patched
the sources for this, but I was whondering if gentoo had a solution to
this yet?

Also I couldn't see that the sshd_config would support this setting, but
if it does, please do tell me about it. ;)


-Jukka Palko

--
Jukka Palko jpalko@vapaa.fi
Postmaster jpalko@ipi.fi
Vapaa Internet Ry +358-(0)50-4876931
"Only if you want to, will you find a way..." -- Enya

--
gentoo-security@gentoo.org mailing list
Re: ssh question [ In reply to ]
Palko Jukka said:
> Hi
>
> I'm curious if there is a gentoo way to disable my ssh daemon from
> advertising the SSH version and OpenSSH version, like this:
[SNIP]

As best as I could tell the last time I looked into it, that banner is
necessary for the negotiation. But someone more knowledgeable would be
better to answer this question.

> Or could this removal cause havoc to my ssh/scp/sftp connectivity?
>
> Just thinking that if I move my ssh port to be 10022 to have it in a
> non-standard port, this doesn't help me at all as even script kiddies
> can locate the non-standard port if they just do a wide enough port scan
> and with enough patience so that port scanning isn't detected by other
> active security measures.

Someone kick me if I am wrong here.
You should at least be able to detect when someone has connected to the
port and seen the banner by enabling verbose logging in the SSHD daemon.
You can then choose to do something pro active if you see an actual
connect. Running SSH on high number ports, I have yet to ever see a full
connect on any of the machines I administer.

>
> This would at least slow down the security hole testing of the attacker
> as they know that something is there, but not necessarily the version of
> it. A colleague suggested to recompile my openssh after having patched
> the sources for this, but I was whondering if gentoo had a solution to
> this yet?
>
> Also I couldn't see that the sshd_config would support this setting, but
> if it does, please do tell me about it. ;)

Sounds like you want to use something like port knocking to make SSH
invisible.



--
gentoo-security@gentoo.org mailing list
Re: ssh question [ In reply to ]
>> I'm curious if there is a gentoo way to disable my ssh daemon from
>> advertising the SSH version and OpenSSH version, like this:
> [SNIP]
>
> As best as I could tell the last time I looked into it, that banner is
> necessary for the negotiation. But someone more knowledgeable would be
> better to answer this question.

This version broadcast occurs even with banners turned off. I asked
about this a few years ago on OpenBSD's lists, the polite suggestion
was that I could hack the string out of the source if I really cared.
Everyone else's consensus was that hiding version is useless,
script-kiddies hammer everything. As an older and wiser man I have
come to agree, obscurity isn't worth the effort. Either focus on
security auditing, or have faith in those who do (as I do :).

There is a "famous book" which recommends hiding this stuff, but 99% of
hackers without a personal vendetta aren't going to scope things out in
this manner. They'll automatically hammer you until something works.

james


--
gentoo-security@gentoo.org mailing list
Re: ssh question [ In reply to ]
On Tue, Feb 08, 2005 at 02:32:50AM -0500, James Larkby-Lahet wrote:
> >>I'm curious if there is a gentoo way to disable my ssh daemon from
> >>advertising the SSH version and OpenSSH version, like this:
> >[SNIP]
> >
> >As best as I could tell the last time I looked into it, that banner is
> >necessary for the negotiation. But someone more knowledgeable would be
> >better to answer this question.
>
> This version broadcast occurs even with banners turned off. I asked
> about this a few years ago on OpenBSD's lists, the polite suggestion
> was that I could hack the string out of the source if I really cared.
> Everyone else's consensus was that hiding version is useless,
> script-kiddies hammer everything. As an older and wiser man I have
> come to agree, obscurity isn't worth the effort. Either focus on
> security auditing, or have faith in those who do (as I do :).

Yeah, I thought that this might be a useless hunt to start doing this
sort of stuff. I think a better solution is my current one, using tcpd
use flag and adding to /etc/hosts.deny:
SSHD: ALL
and to /etc/hosts.allow
SSHD: .work.net 127.
and so on.

> There is a "famous book" which recommends hiding this stuff, but 99% of
> hackers without a personal vendetta aren't going to scope things out in
> this manner. They'll automatically hammer you until something works.

Our security department at work was just really interested how to
maximize this sort of things to ultra-secure levels. And my preferred
test bedon this sort of stuff has been gentoo. :)

--
Jukka Palko jpalko@vapaa.fi
Postmaster jpalko@ipi.fi
Vapaa Internet Ry +358-(0)50-4876931
"Only if you want to, will you find a way..." -- Enya

--
gentoo-security@gentoo.org mailing list
Re: ssh question [ In reply to ]
James Larkby-Lahet wrote:
>>> I'm curious if there is a gentoo way to disable my ssh daemon from
>>> advertising the SSH version and OpenSSH version, like this:

Yes.

> Everyone else's consensus was that hiding version is useless,
> script-kiddies hammer everything. As an older and wiser man I have come
> to agree, obscurity isn't worth the effort. Either focus on security
> auditing, or have faith in those who do (as I do :).
>

But as james explained well, I won't paraphrase him. I think you'll find I might
not be worth the effort.

investment = security_measure(effort) * security_measure(time);
losses = compute_losses(if_hacked);
if (investment >= losses) {
dont_bother = 1;
}

To put it simply :)

Neverthless, and for knowledge's sake we'll say, I wanted to share the info I
had on the subject since I myself went through the bother of all this a while back.
Here is a post on the suject of "Banners Removal" on a web forum.
http://www.security-forums.com/forum/viewtopic.php?t=8867
It details, what you are looking to do ie: remove banners in software (including
OpenSSH).
The way to do it (as with a few other software) is to modify a .h file in the
source tree, and re-compile.
Depending on the admin and various other factors, this can be more or less hassle.

It's up to you know whether to do it or not. You have the power ;)

drax

--
Mail: drax@sweon.net
UIN: 123093451 - AIM: drax8080 - Jabber: swe@jabber.org
--===========================================================================--
There are 10 types of people, those who understand binary, and those who don't.

--
gentoo-security@gentoo.org mailing list
RE: ssh question [ In reply to ]
Hiding the version is definitely not worthwhile, at least compared to the infinite number of other security configuration tweaks you could do. I agree that other things have been mentioned such as grsecurity, pax, exec-shield, etc., all offer tremendous features that would do far more to secure your machine. Selinux is another option, although I feel it's overkill in most situations, especially considering the complexity of setting it up properly.

The obvious, like tcp wrappers and/or a firewall also go a long way. For something like ssh, where I might need access from almost anywhere, I will typically blacklist everything out of my country to begin with and then work from there. You could also use software that has the capability to edit your blacklist in realtime, based on log activity. Additionally, I'll often only allow ssh access to a machine from a single IP on the local network. I can remotely access that machine, and then access the machine I really wanted to get to from that one. Certainly not fullproof, but it definitely makes things a lot more difficult for someone trying to hack the machine from the outside.


-----Original Message-----
From: drax [mailto:drax@sweon.net]
Sent: Fri 2/25/2005 8:03 AM
To: gentoo-security@lists.gentoo.org
Cc:
Subject: Re: [gentoo-security] ssh question
James Larkby-Lahet wrote:
>>> I'm curious if there is a gentoo way to disable my ssh daemon from
>>> advertising the SSH version and OpenSSH version, like this:

Yes.

> Everyone else's consensus was that hiding version is useless,
> script-kiddies hammer everything. As an older and wiser man I have come
> to agree, obscurity isn't worth the effort. Either focus on security
> auditing, or have faith in those who do (as I do :).
>

But as james explained well, I won't paraphrase him. I think you'll find I might
not be worth the effort.

investment = security_measure(effort) * security_measure(time);
losses = compute_losses(if_hacked);
if (investment >= losses) {
dont_bother = 1;
}

To put it simply :)

Neverthless, and for knowledge's sake we'll say, I wanted to share the info I
had on the subject since I myself went through the bother of all this a while back.
Here is a post on the suject of "Banners Removal" on a web forum.
http://www.security-forums.com/forum/viewtopic.php?t=8867
It details, what you are looking to do ie: remove banners in software (including
OpenSSH).
The way to do it (as with a few other software) is to modify a .h file in the
source tree, and re-compile.
Depending on the admin and various other factors, this can be more or less hassle.

It's up to you know whether to do it or not. You have the power ;)

drax

--
Mail: drax@sweon.net
UIN: 123093451 - AIM: drax8080 - Jabber: swe@jabber.org
--===========================================================================--
There are 10 types of people, those who understand binary, and those who don't.

--
gentoo-security@gentoo.org mailing list






--
gentoo-security@gentoo.org mailing list