[ On Thursday, August 16, 2001 at 14:29:24 (-0600), Apolis, Jeff wrote: ]
> Subject: Hide ssh version string?
>
> ... well our security policy dictates that we obscure the version numbers of
> any running
> application when at all possible - to make a hacker's job just a little bit
> harder.
Why bother? That's just idiotic security by obscurity. If anything
it'll invite more attack attempts than it thwarts! "Oh, look! Some
idiot thinks he can hide his broken SSHd from me! Watch this!" :-)
Attack robots will often attack anyway. Witness CodeRed and its
variants. I've thousands of "attacks" in my apache logs -- it sure as
heck didn't bother to check what web server I was running, let alonwe
what release.....
> Are there any negative side effects to doing this?
I suspect some subtle interoperability issues with other variants of SSH
which try to determine OpenSSH bugs based on it's reported version number.
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
Please DO NOT EVER send HTML crap to public mailing lists (or to me!)!
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
