[Gllug] compromised?
Nix
nix at esperi.demon.co.uk
Wed Feb 26 21:46:26 UTC 2003
On Mon, 24 Feb 2003, Tethys mused:
>
> James de Lurker writes:
>
>>Oh - and make the software LIE or be unspecific about what version it
>>is ( a simple telnet connection to port 22 and a couple of CRs will
>>persuade a target system to yield too much information than can be
>>good for it ).
>
> Don't kid yourself. How many times does the "security through obscurity
> doesn't work" mantra have to be repeated? Any halfway decent cracking script
> will try to negotiate an SSH handshake to test what's on the end of an open
> port, rather than just trusting what's reported in the banner.
It's worse than that; making sshd lie about its version number will probably
break other classes of connection, too.
Most (all?) ssh clients *rely* upon that version string, so they can
compensate for any bugs present in that version. In a few cases, lying
about the version number of sshd can actually reduce the security of
connections made via that sshd.
--
2003-02-01: the day the STS died.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list