FreeBSD Security + Firewall set up

Lou Kamenov lou.kamenov at
Wed Nov 27 13:30:46 GMT 2002

In some email I received from "Dimitris" <sehh at> on Wed, 27
Nov 2002 12:10:04 +0000 (GMT) :
> On Tue, 26 Nov 2002 15:24:33 -0600, Georges wrote:
> >when done, goto and at the bottom of the page there is
> >another page for testing. Follow the instructions
> >to test your friewall.
> While running the port scanner on that website, i noticed that sshd
> under fbsd reports the operating system to the remote client.
> For example, my sshd reports:
> SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
> The sshd on linux only reports:
> SSH-1.99-OpenSSH_3.1p1
> I consider this a security risk. I take all precautions not to
> advertise the operating system that i'm using, and sshd just plainly
> does the opposite :(

/usr/src/crypto/openssh/version.h:6 (OpenSSH version) 
#define SSH_VERSION_BASE        "OpenSSH" /* _3.5p1 */
/usr/src/crypto/openssh/version.h:7 (FreeBSD AD) 
/* #define SSH_VERSION_ADDENDUM    "FreeBSD-2002XXXX" */

/usr/src/crypto/openssh/version.c:40 (FreeBSD AD)

cd /usr/src/security/lib/libssh && make clean 
make depend && make && make install
cd /usr/src/security/usr.sbin/sshd && make clean
make depend && make && make install

however removing only FreeBSD AD would do:) 
removing the version might bring *errrm* unwanted results.

> Idealy, it shouldn't even report the version number (3.4p1) just in
> case there are vulnerabilities on it. That doesn't mean it makes
> things a lot more secure, but it helps a little bit by removing
> information that can be used by someone else.

yes, and making it more attractive also.



Lou Kamenov	lou at		lou at
Key Fingerprint - 936F F64A AD50 2D27 07E7  6629 F493 95AE A297 084A
One advantage of talking to yourself is that you know at least
somebody's listening. - Franklin P. Jones 

More information about the Ukfreebsd mailing list