joe7 Posted November 1, 2009 Share Posted November 1, 2009 I took the IP address of a website and append :22 to the end and got this return SSH-2.0-OpenSSH_ver-num The version is several versions old I think that is bad because its telling a possible attacker what version of openSHH they are running so the attacker would know what exploits to try to run. Then I ran curl to see what server software they are running curl -I IP address ... Server: Microsoft-IIS/6.0 This too is bad for the same reason. How can this information be hidden? Could a scanner have found this information? Does this information being available even matter? Quote Link to comment Share on other sites More sharing options...
Sparda Posted November 1, 2009 Share Posted November 1, 2009 Yes on both cases. You can disable IIS server headers according to this. SSH, on the other hand, needs the version number to be sent so the client knows what it's dealing with. Quote Link to comment Share on other sites More sharing options...
joe7 Posted November 1, 2009 Author Share Posted November 1, 2009 Yes on both cases. OK so having ssh version and server software know is bad. Lets fix this. You can disable IIS server headers according to this. Thanks. That will be useful. SSH, on the other hand, needs the version number to be sent so the client knows what it's dealing with. Really? So that means there is no way to hide or fake the version without breaking things? Having a version reply show up in a web browser seems old for ssh. At least that should be disabled some how, but if a scanner can find the version then there is no point. Quote Link to comment Share on other sites More sharing options...
SWFu Posted November 1, 2009 Share Posted November 1, 2009 Really? So that means there is no way to hide or fake the version without breaking things? Having a version reply show up in a web browser seems old for ssh. At least that should be disabled some how, but if a scanner can find the version then there is no point. Err, upgrade? Quote Link to comment Share on other sites More sharing options...
joe7 Posted November 2, 2009 Author Share Posted November 2, 2009 Err, upgrade? That is not always an option and still the version would be displayed. Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted November 2, 2009 Share Posted November 2, 2009 If your security relies on hiding the version number of the software that you are using then you have real problems. Having version numbers picked up by scanners and other software can also help sysadmins keep track of what versions are in use and plan which ones to upgrade next. Quote Link to comment Share on other sites More sharing options...
Sparda Posted November 2, 2009 Share Posted November 2, 2009 Also, not providing the version number does not stop attackers from trying recent exploits. Quote Link to comment Share on other sites More sharing options...
dr0p Posted November 3, 2009 Share Posted November 3, 2009 Also, not providing the version number does not stop attackers from trying recent exploits. Which they will. Especially if it's on the perimeter of your network and it doesn't take any effort to get to it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.