hiding ssh version

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

hiding ssh version

Dan Howerton
Hey Guys,

I was poking around and saw this...

x@x:~$ telnet 1.1.1.1 22
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1

I dont quite fancy this so I did some poking around google and found a patch to hide this at

http://www.kramse.dk/projects/unix/opensshhideversion_en.html

Is it possible to get this patch into either the standard openssh package or one we can grab through the security repo?


--
Dan Howerton
http://metacortexsecurity.com
GPG key: 10F5DDA5



--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: hiding ssh version

Paul Sladen-2
On Sat, 28 Mar 2009, Dan Howerton wrote:
> SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
> http://www.kramse.dk/projects/unix/opensshhideversion_en.html

This patch is attempting to introduce security through obscurity:

  http://en.wikipedia.org/wiki/Security_through_obscurity

A patch like is probably best taken upstream (to OpenSSH themselves) before
consideration.  It appears that somebody may have already done that:

  http://kerneltrap.org/mailarchive/openbsd-misc/2008/4/24/1578594

(Warning, contains mild obscenities).

        -Paul
--
Why do one side of a triangle when you can do all three.  Somewhere, GB.


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: hiding ssh version

Marc Deslauriers-3
In reply to this post by Dan Howerton
On Sat, 2009-03-28 at 00:00 -0600, Dan Howerton wrote:

> Hey Guys,
>
> I was poking around and saw this...
>
> x@x:~$ telnet 1.1.1.1 22
> Trying 1.1.1.1...
> Connected to 1.1.1.1.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
>
> I dont quite fancy this so I did some poking around google and found a
> patch to hide this at
>
> http://www.kramse.dk/projects/unix/opensshhideversion_en.html
>
> Is it possible to get this patch into either the standard openssh
> package or one we can grab through the security repo?

That wouldn't be a good idea, as ssh clients, including OpenSSH parse
the version string in order to identify bugs/capabilities with
particular ssh versions.

For an example, see compat.c in the OpenSSH source code.

Marc.



--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: hiding ssh version

Kees Cook-5
In reply to this post by Dan Howerton
Hi Dan,

On Sat, Mar 28, 2009 at 12:00:40AM -0600, Dan Howerton wrote:
> x@x:~$ telnet 1.1.1.1 22

I recommend "nc" since it doesn't send or process Telnet escape sequences[1].

> I dont quite fancy this so I did some poking around google and found a patch
> to hide this at
>
> http://www.kramse.dk/projects/unix/opensshhideversion_en.html
>
> Is it possible to get this patch into either the standard openssh package or
> one we can grab through the security repo?

There has been a long-standing bug[2] with upstream, where I supplied
a few versions of possible patches, but they continue to really dislike
the idea.

My reasoning has been that I can already change the banner on other
services (SMTP, e.g.), so why not have the same available for SSH?  I have
been nervous about carrying such a patch in Ubuntu without upstream
approval, though.

I understand their reasoning about not wanting to mess with the protocol
versions, and I get that clients may need to tweak behavior based on the
software version, and I've seen situations where even using the version
comment could be useful to clients, but I think that's all moot since
only a small number of people would even use these options.

If someone wants to try to convince upstream otherwise, I would be very
happy.  :)

-Kees

[1] http://en.wikipedia.org/wiki/Telnet
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=764

--
Kees Cook
Ubuntu Security Team

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: hiding ssh version

Dan Howerton
Paul:

Security through obscurity implies that I am relying solely on the obscurity alone to secure myself and that is not the case. It is about throwing any possible roadblock in the way of an attacker because if it delays someone x amount of time from gaining access then I get x amount of time to identify a threat and take counter measures.

http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)


Kees:

Is it not possible to get a package in the repos that incorporates this patch and other hardening measures such as denyhosts? Possibly an ssh-hardened package? It doesn't have to be something that is pushed out with the distro by default but something that people can install if they choose to.



On Sat, Mar 28, 2009 at 10:15 AM, Kees Cook <[hidden email]> wrote:
Hi Dan,

On Sat, Mar 28, 2009 at 12:00:40AM -0600, Dan Howerton wrote:
> x@x:~$ telnet 1.1.1.1 22

I recommend "nc" since it doesn't send or process Telnet escape sequences[1].

> I dont quite fancy this so I did some poking around google and found a patch
> to hide this at
>
> http://www.kramse.dk/projects/unix/opensshhideversion_en.html
>
> Is it possible to get this patch into either the standard openssh package or
> one we can grab through the security repo?

There has been a long-standing bug[2] with upstream, where I supplied
a few versions of possible patches, but they continue to really dislike
the idea.

My reasoning has been that I can already change the banner on other
services (SMTP, e.g.), so why not have the same available for SSH?  I have
been nervous about carrying such a patch in Ubuntu without upstream
approval, though.

I understand their reasoning about not wanting to mess with the protocol
versions, and I get that clients may need to tweak behavior based on the
software version, and I've seen situations where even using the version
comment could be useful to clients, but I think that's all moot since
only a small number of people would even use these options.

If someone wants to try to convince upstream otherwise, I would be very
happy.  :)

-Kees

[1] http://en.wikipedia.org/wiki/Telnet
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=764

--
Kees Cook
Ubuntu Security Team



--
Dan Howerton
http://metacortexsecurity.com
GPG key: 10F5DDA5



--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: hiding ssh version

Kees Cook-5
Hi Dan,

On Sat, Mar 28, 2009 at 03:09:36PM -0600, Dan Howerton wrote:
> Is it not possible to get a package in the repos that incorporates this
> patch and other hardening measures such as denyhosts? Possibly an
> ssh-hardened package? It doesn't have to be something that is pushed out
> with the distro by default but something that people can install if they
> choose to.

I don't think it makes sense to have a forked ssh package in the primary
archive.  However, there's nothing to stop someone from building openssh
with the patch and hosting it in their PPA.

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: hiding ssh version

TJ Easter
FWIW, I make use of all banner hiding capabilities on public services
(i.e., the ServerTokens parameter in Apache's configuration) as I do
consider it defense-in-depth.  However, with SSH potentially using the
version banner to negotiate features and functionality, I'd recommend
against using the patch.  I use iptables(8) to lock down access to my
SSH daemon -- in addition to libwrap -- so the only people who are
ever even able to see the banner are likely to be hosts that I "trust"
anyway.


Regards,
TJ Easter

On Sun, Apr 5, 2009 at 9:44 AM, Kees Cook <[hidden email]> wrote:

> Hi Dan,
>
> On Sat, Mar 28, 2009 at 03:09:36PM -0600, Dan Howerton wrote:
>> Is it not possible to get a package in the repos that incorporates this
>> patch and other hardening measures such as denyhosts? Possibly an
>> ssh-hardened package? It doesn't have to be something that is pushed out
>> with the distro by default but something that people can install if they
>> choose to.
>
> I don't think it makes sense to have a forked ssh package in the primary
> archive.  However, there's nothing to stop someone from building openssh
> with the patch and hosting it in their PPA.
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
> --
> ubuntu-hardened mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>



--
"Being a humanist means trying to behave decently without expectation
of rewards or punishment after you are dead."  -- Kurt Vonnegut, 1922
- 2007
http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x5EB6E92FE2340DEF

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: hiding ssh version

Jeff Schroeder-2
If you rate limit the number of incoming connections / second to sshd  
using iptables all brute force attacks become unpractical.

Sent from my iPhone

On Apr 5, 2009, at 1:04 PM, TJ Easter <[hidden email]> wrote:

> FWIW, I make use of all banner hiding capabilities on public services
> (i.e., the ServerTokens parameter in Apache's configuration) as I do
> consider it defense-in-depth.  However, with SSH potentially using the
> version banner to negotiate features and functionality, I'd recommend
> against using the patch.  I use iptables(8) to lock down access to my
> SSH daemon -- in addition to libwrap -- so the only people who are
> ever even able to see the banner are likely to be hosts that I "trust"
> anyway.
>
>
> Regards,
> TJ Easter
>
> On Sun, Apr 5, 2009 at 9:44 AM, Kees Cook <[hidden email]> wrote:
>> Hi Dan,
>>
>> On Sat, Mar 28, 2009 at 03:09:36PM -0600, Dan Howerton wrote:
>>> Is it not possible to get a package in the repos that incorporates  
>>> this
>>> patch and other hardening measures such as denyhosts? Possibly an
>>> ssh-hardened package? It doesn't have to be something that is  
>>> pushed out
>>> with the distro by default but something that people can install  
>>> if they
>>> choose to.
>>
>> I don't think it makes sense to have a forked ssh package in the  
>> primary
>> archive.  However, there's nothing to stop someone from building  
>> openssh
>> with the patch and hosting it in their PPA.
>>
>> -Kees
>>
>> --
>> Kees Cook
>> Ubuntu Security Team
>>
>> --
>> ubuntu-hardened mailing list
>> [hidden email]
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>>
>
>
>
> --
> "Being a humanist means trying to behave decently without expectation
> of rewards or punishment after you are dead."  -- Kurt Vonnegut, 1922
> - 2007
> http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x5EB6E92FE2340DEF
>
> --
> ubuntu-hardened mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: hiding ssh version

Jeronimo Zucco

Citando Jeff Schroeder <[hidden email]>:

> If you rate limit the number of incoming connections / second to sshd
> using iptables all brute force attacks become unpractical.


Or use OSSEC (www.ossec.net) to break brute force attacks easily.



--
Jeronimo Zucco
LPIC-1 Linux Professional Institute Certified
Universidade de Caxias do Sul - NPDU

http://jczucco.blogspot.com


---------------------------------------
Essa mensagem foi enviada pelo UCS Mail



--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened