"Karl E. Jorgensen" <[EMAIL PROTECTED]> writes: > On Fri, Oct 25, 2002 at 05:19:18PM -0500, DvB wrote: > > Isn't this a potential security issue? > > <snip> > As for the "how" bit, try: > $ telnet localhost ssh > > and your sshd should respond with its banner. That's probably what the > scanner picked up. > > IIRC the banner is required to announce what ssh protocol versions it > speaks, but there might be some room for tweaking it. >
The computer's behind a firewall, so it doesn't really matter. I was just curious. > But ... Changing the banner to something more generic is merely security > by obscurity - once a vulnerability is known and abused, why would an > attacker pay *any* attention to the banner? Just try the exploit! > You're probably right about it being security through obscurity. I was thinking in terms of someone looking for "exploitable" machines but, on second thought, I suppose that instead of probing each computer for vulnerability, one could just go ahead and test the exploit... in most cases, anyway. > Besides: The security team has back-ported some few fixes to debian's > ssh, where it would be wrong to change the banner (apart from > incrementing the debian version number). So the version number does not > necessarily reflect the vulnerabilities present. No, but the debian version number, which is also included, would. That's why I specified persons who are familiar with what patches have been included or not in debian packages. Of course, you could probably argue that this would exclude most of the "script kiddies" that I mentioned later on in my post. I guess, overall, there's really no compelling reason to change the version string. Just a random idea that I sent off to the list before thinking it over enough :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
