Paul:<br><br>Security through obscurity implies that I am relying solely on the obscurity alone to secure myself and that is not the case. It is about throwing any possible roadblock in the way of an attacker because if it delays someone x amount of time from gaining access then I get x amount of time to identify a threat and take counter measures. <br>
<br><a href="http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)">http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)</a><br><br><br>Kees:<br><br>Is it not possible to get a package in the repos that incorporates this patch and other hardening measures such as denyhosts? Possibly an ssh-hardened package? It doesn't have to be something that is pushed out with the distro by default but something that people can install if they choose to.<br>
<br><br><br><div class="gmail_quote">On Sat, Mar 28, 2009 at 10:15 AM, Kees Cook <span dir="ltr"><<a href="mailto:kees@ubuntu.com">kees@ubuntu.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Dan,<br>
<div class="im"><br>
On Sat, Mar 28, 2009 at 12:00:40AM -0600, Dan Howerton wrote:<br>
> x@x:~$ telnet 1.1.1.1 22<br>
<br>
</div>I recommend "nc" since it doesn't send or process Telnet escape sequences[1].<br>
<div class="im"><br>
> I dont quite fancy this so I did some poking around google and found a patch<br>
> to hide this at<br>
><br>
> <a href="http://www.kramse.dk/projects/unix/opensshhideversion_en.html" target="_blank">http://www.kramse.dk/projects/unix/opensshhideversion_en.html</a><br>
><br>
> Is it possible to get this patch into either the standard openssh package or<br>
> one we can grab through the security repo?<br>
<br>
</div>There has been a long-standing bug[2] with upstream, where I supplied<br>
a few versions of possible patches, but they continue to really dislike<br>
the idea.<br>
<br>
My reasoning has been that I can already change the banner on other<br>
services (SMTP, e.g.), so why not have the same available for SSH? I have<br>
been nervous about carrying such a patch in Ubuntu without upstream<br>
approval, though.<br>
<br>
I understand their reasoning about not wanting to mess with the protocol<br>
versions, and I get that clients may need to tweak behavior based on the<br>
software version, and I've seen situations where even using the version<br>
comment could be useful to clients, but I think that's all moot since<br>
only a small number of people would even use these options.<br>
<br>
If someone wants to try to convince upstream otherwise, I would be very<br>
happy. :)<br>
<br>
-Kees<br>
<br>
[1] <a href="http://en.wikipedia.org/wiki/Telnet" target="_blank">http://en.wikipedia.org/wiki/Telnet</a><br>
[2] <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=764" target="_blank">https://bugzilla.mindrot.org/show_bug.cgi?id=764</a><br>
<font color="#888888"><br>
--<br>
Kees Cook<br>
Ubuntu Security Team<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Dan Howerton<br><a href="http://metacortexsecurity.com">http://metacortexsecurity.com</a><br>GPG key: 10F5DDA5<br><br><br>