On Mon, 2003-06-16 at 23:32, Tomasz Papszun wrote: > On Mon, 16 Jun 2003 at 14:26:33 +0200, Stefan Neufeind wrote: > > On 16 Jun 2003 at 7:00, Halil Demirezen wrote: > > > > > To be brief, I don't usually come accross that there is an exploit for > > > only effective to debian boxes. Plus, There are lots of ways to learn > > > what distribution you are running on your machine. telnet xxxx.com 80 > > > and do some returns and you get the info you are running apache with > > > php xxx support on debian box. > > > > > > This is not only ssh case. > > > > Well, but for e.g. php I don't see why this is necessary. Anybody > > wrote a doc on how to suppress unnecessary version-messages? I'd be > > really interested in such things ... > > > > In apache's config: > > ServerTokens ProductOnly > ServerSignature Off > I was going to say exactly this earlier in the thread. I put this in My Apache config quite some time ago when I realised I could. There should be something similar in the sshd_config in my opinion.
Of the information spat out from my ssh daemon: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 I believe that clients need only the "SSH-2.0" part. Even some security by obscurity makes me feel better if easy to implement and doesn't make anything more difficult to do. Regards. Mark.
signature.asc
Description: This is a digitally signed message part
