[ubuntu-hardened] hiding ssh version

Dan Howerton danny.howerton at gmail.com
Sat Mar 28 21:09:36 GMT 2009 

Paul:

Security through obscurity implies that I am relying solely on the obscurity
alone to secure myself and that is not the case. It is about throwing any
possible roadblock in the way of an attacker because if it delays someone x
amount of time from gaining access then I get x amount of time to identify a
threat and take counter measures.

http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)


Kees:

Is it not possible to get a package in the repos that incorporates this
patch and other hardening measures such as denyhosts? Possibly an
ssh-hardened package? It doesn't have to be something that is pushed out
with the distro by default but something that people can install if they
choose to.



On Sat, Mar 28, 2009 at 10:15 AM, Kees Cook <kees at ubuntu.com> wrote:

> Hi Dan,
>
> On Sat, Mar 28, 2009 at 12:00:40AM -0600, Dan Howerton wrote:
> > x at x:~$ telnet 1.1.1.1 22
>
> I recommend "nc" since it doesn't send or process Telnet escape
> sequences[1].
>
> > I dont quite fancy this so I did some poking around google and found a
> patch
> > to hide this at
> >
> > http://www.kramse.dk/projects/unix/opensshhideversion_en.html
> >
> > Is it possible to get this patch into either the standard openssh package
> or
> > one we can grab through the security repo?
>
> There has been a long-standing bug[2] with upstream, where I supplied
> a few versions of possible patches, but they continue to really dislike
> the idea.
>
> My reasoning has been that I can already change the banner on other
> services (SMTP, e.g.), so why not have the same available for SSH?  I have
> been nervous about carrying such a patch in Ubuntu without upstream
> approval, though.
>
> I understand their reasoning about not wanting to mess with the protocol
> versions, and I get that clients may need to tweak behavior based on the
> software version, and I've seen situations where even using the version
> comment could be useful to clients, but I think that's all moot since
> only a small number of people would even use these options.
>
> If someone wants to try to convince upstream otherwise, I would be very
> happy.  :)
>
> -Kees
>
> [1] http://en.wikipedia.org/wiki/Telnet
> [2] https://bugzilla.mindrot.org/show_bug.cgi?id=764
>
> --
> Kees Cook
> Ubuntu Security Team
>



-- 
Dan Howerton
http://metacortexsecurity.com
GPG key: 10F5DDA5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20090328/9bf36bd2/attachment.htm

More information about the ubuntu-hardened mailing list