New User? Register here - Existing Users: Username: Password: [Advanced Login]

 

 

Current Poll

What language for system administration do you use ?







( 733 votes ~ 3 comments )

 

Weblog entry #6 for trakic

See all weblog entries made by trakic.

XML logo

#6
Keep openssh-server version number silent
Posted by trakic on Thu 28 Oct 2010 at 08:19
Tags:
Problem description:
# grep Port sshd_config
#Port 22
Port 2022

# curl -I http://localhost:443
SSH-2.0-OpenSSH_5.5p1 Debian-4
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer


Q: How do I disable shouting out version number?

-Admir Trakic
[ 7 Comments | Add Comment | XML logo ]
<<< Previous

 

Comments on this Entry

#1
Re: Keep openssh-server version number silent
Posted by Anonymous (66.175.xx.xx) on Thu 28 Oct 2010 at 22:22
You can't. It's hard coded and the developers are adamant you shouldn't be able to hide it. (I believe its used at some level by the SSH client to determine what it can and can't do)

If you look around I remember seeing a patch when I looked into it about a year ago that would remove the version number but I wouldn't necessarily recommend using it.

[ Parent | Reply to this comment ]

#2
Re: Keep openssh-server version number silent
Posted by trakic (193.110.xx.xx) on Fri 29 Oct 2010 at 08:11
[ Send Message | View Weblogs ]
Maybe you right, possibly it cannot be disabled.
Also I have also discoved dropbear spits out version number as well:
curl -I http://192.168.1.20:22
SSH-2.0-dropbear_0.52

To be honest, if this banner really cannot be disabled, I find disabling PrintMotd, DebianBanner options a bit obsolete.

Admir Trakic

[ Parent | Reply to this comment ]

#3
Re: Keep openssh-server version number silent
Posted by ajt (195.112.xx.xx) on Sat 30 Oct 2010 at 11:01
[ Send Message | View Weblogs ]

Whatever you may think, the OpenBSD and OpenSSH teams do have a good reputation for security. I think they are just sticking to the security through obscurity is no security at all, so learn to live with it.

Personally I don't like the idea of standing on the roof and shouting, but running SSH and hiding the version isn't getting you as much security as you think it is...

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

#4
Re: Keep openssh-server version number silent
Posted by trakic (193.110.xx.xx) on Mon 1 Nov 2010 at 09:09
[ Send Message | View Weblogs ]
The story for hiding out SSH-banner is if your ISP(like mine) is allowing only few sockets publicly exposed on the Internet, so you would probably end up running not stanard IANA services attached on those sockets.

Sure, you can also try add some tunneling configuration, eg. SSH over HTTP(S), but this would require more services running and additional client configuration.

So if possible, I would really like to see this banner disabled, prefferebly by adjusting main configuration file, and also by not patching the original package.

-Admir Trakic

[ Parent | Reply to this comment ]

#5
Re: Keep openssh-server version number silent
Posted by trakic (193.110.xx.xx) on Mon 1 Nov 2010 at 09:37
[ Send Message | View Weblogs ]
OK I just found out according to RFC, Protocol Version Exchange (section 4.2) string must be sendt also in particular format: http://www.ietf.org/rfc/rfc4253.txt.

So obviously I have to stick with SSH tunneling over HTTP(S).
-Admir Trakic

[ Parent | Reply to this comment ]

#6
Re: Keep openssh-server version number silent
Posted by mcortese (20.142.xx.xx) on Tue 2 Nov 2010 at 14:55
[ Send Message | View Weblogs ]
Uh? What has the banner to do with the port you map the service to?

[ Parent | Reply to this comment ]

#7
Re: Keep openssh-server version number silent
Posted by bluekey (91.83.xx.xx) on Wed 17 Nov 2010 at 22:51
[ Send Message | View Weblogs ]
apt-get source openssh-server

Edit version.h
#define SSH_VERSION "asd"
#define SSH_RELEASE "asd"

./configure --prefix=/usr --sysconfdir=/etc
make -j8
make install
/etc/init.d/ssh restart

And you will get:

Connected to x.x.x.x
Escape character is '^]'.
SSH-2.0-asd

But you must put in a string as version, otherwise the client won't connect with this error:
"Bad remote protocol version identification: 'SSH-2.0-"

[ Parent | Reply to this comment ]

 

 

Flattr