FreeBSD Security + Firewall set up

Lou Kamenov lou.kamenov at aeye.net
Wed Nov 27 13:30:46 GMT 2002


In some email I received from "Dimitris" <sehh at altered.com> on Wed, 27
Nov 2002 12:10:04 +0000 (GMT) :
> On Tue, 26 Nov 2002 15:24:33 -0600, Georges wrote:
> 
> >when done, goto www.sygate.com and at the bottom of the page there is
> >another page for testing. Follow the instructions
> >to test your friewall.
> 
> While running the port scanner on that website, i noticed that sshd
> under fbsd reports the operating system to the remote client.
> 
> For example, my sshd reports:
> SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
> The sshd on linux only reports:
> SSH-1.99-OpenSSH_3.1p1
> I consider this a security risk. I take all precautions not to
> advertise the operating system that i'm using, and sshd just plainly
> does the opposite :(

/usr/src/crypto/openssh/version.h:6 (OpenSSH version) 
#define SSH_VERSION_BASE        "OpenSSH" /* _3.5p1 */
					
/usr/src/crypto/openssh/version.h:7 (FreeBSD AD) 
/* #define SSH_VERSION_ADDENDUM    "FreeBSD-2002XXXX" */

/usr/src/crypto/openssh/version.c:40 (FreeBSD AD)
(version = xstrdup(SSH_VERSION_BASE " " SSH_VERSION_ADDENDUM);)

cd /usr/src/security/lib/libssh && make clean 
make depend && make && make install
cd /usr/src/security/usr.sbin/sshd && make clean
make depend && make && make install

however removing only FreeBSD AD would do:) 
removing the version might bring *errrm* unwanted results.

> Idealy, it shouldn't even report the version number (3.4p1) just in
> case there are vulnerabilities on it. That doesn't mean it makes
> things a lot more secure, but it helps a little bit by removing
> information that can be used by someone else.

yes, and making it more attractive also.


cheers,
-lk

----

Lou Kamenov	lou at freebsd-bg.org		lou at seclab.aeye.net
FreeBSD BGUG	http://www.freebsd-bg.org	http://www.aeye.net
Key Fingerprint - 936F F64A AD50 2D27 07E7  6629 F493 95AE A297 084A
One advantage of talking to yourself is that you know at least
somebody's listening. - Franklin P. Jones 




More information about the Ukfreebsd mailing list