How to hide SSH version


 
Thread Tools Search this Thread
Operating Systems Solaris How to hide SSH version
# 8  
Old 02-15-2008
Quote:
Originally Posted by sparcguy
Well I too agree with what you say as true but my bottom line is I have to pass this audit and my boss is anxious to pass the audit and so is the management, regardless of where they read up the info from internet, weather they are amatuer script kiddies or not THEY ARE THE AUDITORS and I have to comply.

Out of curiosity, did they tell you why you need to do this?
In my experience with audits (which is 2 audits in all my years doing this), when something has been recommended, the onus has been put on the auditors to tell us why it is needed, how can we accomplish it, and what guarantee they can give us that it will not break anything in our system.

Anyway, for easy fixes that don't require recompiling or messing around with the sshd binary, you could:
- Block telnet to port 22.
- Change the port sshd listens on.
- Comment telnet out of inet.conf and HUP inetd

A general comment: this is one of those things that I cannot understand about these "security experts". They want SAs to mess around with ssh, but they don't mind that telnet is running. If I'm a hacker, and I'm already inside your network, why would I want to mess around with the encrypted stuff when I have clear text flowing through the wire?
# 9  
Old 02-17-2008
Quote:
Originally Posted by System Shock
A general comment: this is one of those things that I cannot understand about these "security experts". They want SAs to mess around with ssh, but they don't mind that telnet is running. If I'm a hacker, and I'm already inside your network, why would I want to mess around with the encrypted stuff when I have clear text flowing through the wire?
Isn't it obvious? One of the matrix movies had a character using an ssh exploit to hack some power station. Suddenly ssh is the prime target for all auditors Smilie Yay.

But seriously, most audits should result in either complience or a reason why not to. I'd say system stability when compared to the releivly low increase in risk by displaying that information is a pretty good reason.
# 10  
Old 02-18-2008
Quote:
Originally Posted by System Shock
Out of curiosity, did they tell you why you need to do this?
In my experience with audits (which is 2 audits in all my years doing this), when something has been recommended, the onus has been put on the auditors to tell us why it is needed, how can we accomplish it, and what guarantee they can give us that it will not break anything in our system.

Anyway, for easy fixes that don't require recompiling or messing around with the sshd binary, you could:
- Block telnet to port 22.
- Change the port sshd listens on.
- Comment telnet out of inet.conf and HUP inetd

A general comment: this is one of those things that I cannot understand about these "security experts". They want SAs to mess around with ssh, but they don't mind that telnet is running. If I'm a hacker, and I'm already inside your network, why would I want to mess around with the encrypted stuff when I have clear text flowing through the wire?
yeah I intend to change the port to something else, let those "experts" sniff it out and when they do I'll change it again. Blocking telnet to port 22 won't help much, those guys are using netcat tools.

anyway thanx for the suggestions.
# 11  
Old 02-18-2008
Some of the exploits out there are targeting specific versions of ssh. This is why I think it is important to hide services' version.
# 12  
Old 02-18-2008
Quote:
Originally Posted by iNetForce
Some of the exploits out there are targeting specific versions of ssh. This is why I think it is important to hide services' version.
ok...
there aren't that many versions of ssh out there. So there are some exploits that work on some and not on others...
ok...

Question 1: if you have an ssh version that is vulnerable to a particular exploit, how do you make it more secure?
a) hide the name
b) patch/upgrade ssh to remove the vulnerability

Question 2 : If I'm a hacker, and I see a) renamed version - my exploit for that version is not working- or b) a name that makes no sense, what's the first thing that comes into my mind? "Hey, they have a vulnerability they are trying to hide but haven't patched yet!!"

Question 3: wouldn't it make more sense to either stop telnet or deny telnet to the ssh port, rather than advertise to everyone that you have a vulnerability that you have not addressed properly by attempting to disguise it?

Question 4: again, if I'm a hacker, and I'm in your network, if I know telnet is enabled, why would I want to mess with the encrypted stuff when you are sending plain ascii packets across the network?
# 13  
Old 02-18-2008
Quote:
Originally Posted by System Shock
ok...
there aren't that many versions of ssh out there. So there are some exploits that work on some and not on others...
ok...

Question 1: if you have an ssh version that is vulnerable to a particular exploit, how do you make it more secure?
a) hide the name
b) patch/upgrade ssh to remove the vulnerability

Question 2 : If I'm a hacker, and I see a) renamed version - my exploit for that version is not working- or b) a name that makes no sense, what's the first thing that comes into my mind? "Hey, they have a vulnerability they are trying to hide but haven't patched yet!!"

Question 3: wouldn't it make more sense to either stop telnet or deny telnet to the ssh port, rather than advertise to everyone that you have a vulnerability that you have not addressed properly by attempting to disguise it?

Question 4: again, if I'm a hacker, and I'm in your network, if I know telnet is enabled, why would I want to mess with the encrypted stuff when you are sending plain ascii packets across the network?
To answer question 3) en 4).

Someone from the outside is using telnet, and clearly you can't disable telnet on his/her machine.

Furthermore, initially SSH will see no difference between a real ssh connecting or a telnet session on port 22.
# 14  
Old 02-18-2008
To come up with the most simple answer.

If according to the auditors the SSH version should be made hidden, why they dont tell you how to do it if they consider it possible?
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

How do I remove or hide SunOS version/release from remote login prompt?

For any SunOS 5.XX release, it appears prior to the "login:" prompt (as if a "uname" command is run). Would anyone know where that initial display of SunOS release comes from upon a remote login and how I can stop if from displaying? Thank you (4 Replies)
Discussion started by: ssid61
4 Replies

2. Programming

How to hide from UNIX strings - obfuscate or hide a literal or constant?

Hi, I need to somehow pipe the password to a command and run some SQL, for example, something like echo $password | sqlplus -s system @query01.sql To make it not so obvious, I decided to try out writing a small C program that basically just do echo $password. So now I just do x9.out | sqlplus... (8 Replies)
Discussion started by: newbie_01
8 Replies

3. Shell Programming and Scripting

Hide the output of spawn ssh user@server

Hi All, I have written one script, which is connecting 3 diffrent servers and executing script placed on those. It is smthing like: spawn ssh user@server1 expect "*? assword:" send "pw \r" expect "$" send " sh ./filename1 \r" expect "$" expect eof spawn ssh user@server2 expect "*?... (7 Replies)
Discussion started by: KDMishra
7 Replies

4. IP Networking

ssh version 1 problem please help

Hi guys please help with the following. $ssh -1 -vvv -l username -o "ForwardX11 yes" server.name netscape OpenSSH_5.8p1, OpenSSL 0.9.8r 8 Feb 2011 debug2: ssh_connect: needpriv 0 debug1: Connecting to server.address port 22. debug1: Connection established. debug1: identity file... (1 Reply)
Discussion started by: llcooljatt
1 Replies

5. Cybersecurity

Disable SSH 1.99 version?

Hello. My security audit reconise SSH 1.99 protocol version allowed. But in my sshd_config config is only: SSH version: How can I disable support for ssh protocol 1.99 version? (1 Reply)
Discussion started by: jabalv
1 Replies

6. Shell Programming and Scripting

Help to hide shell terminal and run prompt program after ssh login for specified user

Hey guys, I have some task from my office to lock user on the specified directory after the user logged on using ssh. And then run prompt program to fill the required information. Yeah, just like an ATM system. My question: How could I do those?? AFAIK I have to edit the ~./bashrc. But the... (1 Reply)
Discussion started by: franzramadhan
1 Replies

7. AIX

SSH Protocol Version 1

SSH Protocol Version 1 Session Key Retrieval Disable compatibility with version 1 of the protocol can any one advice in this regard and how can I Disable compatibility with version 1 of the protocol Pls advice .. (2 Replies)
Discussion started by: Mr.AIX
2 Replies

8. UNIX for Dummies Questions & Answers

SSH version of rlogin (ie without password prompt)

I have 3 Solaris 10 UNIX servers, the shadow and passwd file are all identical and are automatically sync every 5 minutes. A majority of the users do not have CLI access but rather use a menu. I currently have menu options that allows them to rlogin to another server and I need to have the... (1 Reply)
Discussion started by: creedonjm
1 Replies

9. Solaris

command to know ssh version

Hi, I want to know the command to know ssh version on solaris (1 Reply)
Discussion started by: manoj.solaris
1 Replies

10. Solaris

ssh version

Which version of SSH is this ssh -V SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0. (2 Replies)
Discussion started by: csaunders
2 Replies
Login or Register to Ask a Question