Prevent SSH from advertising its version number

security linux

The server I am using is Ubuntu 10.10. To ensure security I want to edit the banner the server sends to the client.

If I telnet to my host on port 22 it tells me the exact version of SSH I am running (SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4). The situation is the same with MySQL and Cyrus.

Any suggestions? At least for SSH?

Thanks


Solution 1:

Almost universally, identifying banners are part of the compiled code and do not have configuration options to alter or suppress them. You will have to recompile those pieces of software.

Solution 2:

While it's prohibitively difficult to hide the version number of your SSH daemon, you can easily hide the linux version (Debian-3ubuntu4)

Add the following line to /etc/ssh/sshd_config

DebianBanner no

And restart your SSH daemon: /etc/init.d/ssh restart or service ssh restart

Solution 3:

Hiding those won't secure your server. There are many more ways to fingerprint what your system is running. For SSH in particular, the version announcement is part of the protocol and is required.

http://www.snailbook.com/faq/version-string.auto.html

Solution 4:

As said above, changing a version number is

  1. Hard to do
  2. Security through obscurity
  3. Not flexible

What I suggest is implementing Port Knocking. It's a fairly simple technique to hide anything that is running on your server.

Here is a good implementation: http://www.zeroflux.org/projects/knock

This is how I implemented it on my servers (other numbers) to open SSH only to the people who know 'the secret knock':

[openSSH]
    sequence = 300,4000,32
    seq_timeout = 5
    command = /opencloseport.sh %IP% 2305
    tcpflags = syn

This will give a 5 sec window in which the 3 SYN-packets need to be received in the right order. Choose ports that are far from each other and not sequential. That way, a portscanner can't open the port by accident. These ports do not need to be opened by iptables.

The script I call is this one. It opens a particular port for 5 seconds for the IP sending the SYN-packets.

#!/bin/bash
/sbin/iptables -I INPUT -s $1 -p tcp --dport $2  -j ACCEPT
sleep 5
/sbin/iptables -D INPUT -s $1 -p tcp --dport $2  -j ACCEPT

It can be a real pain to send the SYN-packets so I use the script to connect to the SSH of my servers:

#!/bin/bash
knock $1 $2
knock $1 $3
knock $1 $4
ssh $5@$1 -p $6

(It's pretty obvious what is happening here...)

After the connection is established, the port can be closed. Hint: Use Key-authentication. Otherwise you need to be very fast to type your password.

Related

How to open a 8080 port for an application, with iptables
Is the Amazon EC2 instance id unique forever?
Is there research material on NTP accuracy available?
Postfix smtps and submission confusion
How to configure commands to get executed automatically when AWS ec2 instance cpu utilization goes above certain percentage
Sendmail forwarding?
nginx not serving requests to external IP address
How can I get haproxy to log to systemd/journald?
On Fedora, how do I configure selinux to allow a port for a new undefined service type?
Zookeeper node is not able to load database on production server anymore
Emails are constantly marked by Outlook.com as SPAM
nginx proxy_pass to https