Prevent SSH from advertising its version number
The server I am using is Ubuntu 10.10. To ensure security I want to edit the banner the server sends to the client.
If I telnet to my host on port 22 it tells me the exact version of SSH I am running (SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4). The situation is the same with MySQL and Cyrus.
Any suggestions? At least for SSH?
Thanks
Solution 1:
Almost universally, identifying banners are part of the compiled code and do not have configuration options to alter or suppress them. You will have to recompile those pieces of software.
Solution 2:
While it's prohibitively difficult to hide the version number of your SSH daemon, you can easily hide the linux version (Debian-3ubuntu4)
Add the following line to /etc/ssh/sshd_config
DebianBanner no
And restart your SSH daemon: /etc/init.d/ssh restart
or service ssh restart
Solution 3:
Hiding those won't secure your server. There are many more ways to fingerprint what your system is running. For SSH in particular, the version announcement is part of the protocol and is required.
http://www.snailbook.com/faq/version-string.auto.html
Solution 4:
As said above, changing a version number is
- Hard to do
- Security through obscurity
- Not flexible
What I suggest is implementing Port Knocking. It's a fairly simple technique to hide anything that is running on your server.
Here is a good implementation: http://www.zeroflux.org/projects/knock
This is how I implemented it on my servers (other numbers) to open SSH only to the people who know 'the secret knock':
[openSSH]
sequence = 300,4000,32
seq_timeout = 5
command = /opencloseport.sh %IP% 2305
tcpflags = syn
This will give a 5 sec window in which the 3 SYN-packets need to be received in the right order. Choose ports that are far from each other and not sequential. That way, a portscanner can't open the port by accident. These ports do not need to be opened by iptables.
The script I call is this one. It opens a particular port for 5 seconds for the IP sending the SYN-packets.
#!/bin/bash
/sbin/iptables -I INPUT -s $1 -p tcp --dport $2 -j ACCEPT
sleep 5
/sbin/iptables -D INPUT -s $1 -p tcp --dport $2 -j ACCEPT
It can be a real pain to send the SYN-packets so I use the script to connect to the SSH of my servers:
#!/bin/bash
knock $1 $2
knock $1 $3
knock $1 $4
ssh $5@$1 -p $6
(It's pretty obvious what is happening here...)
After the connection is established, the port can be closed. Hint: Use Key-authentication. Otherwise you need to be very fast to type your password.