Prevent SSH from advertising its version number

Solution 1:

While it's prohibitively difficult to hide the version number of your SSH daemon, you can easily hide the linux version (Debian-3ubuntu4)

Add the following line to /etc/ssh/sshd_config

DebianBanner no

And restart your SSH daemon: /etc/init.d/ssh restart or service ssh restart

Solution 2:

Hiding those won't secure your server. There are many more ways to fingerprint what your system is running. For SSH in particular, the version announcement is part of the protocol and is required.

http://www.snailbook.com/faq/version-string.auto.html


Solution 3:

Almost universally, identifying banners are part of the compiled code and do not have configuration options to alter or suppress them. You will have to recompile those pieces of software.


Solution 4:

I'm pretty sure you can't actually change the version announcement.

The best ways to secure sshd are:

  1. Change the default port number.
  2. Forbid root logons.
  3. Force protocol 2 (assuming that it's not done by default).
  4. Whitelist the servers that are allowed to SSH in.

The first three can be done by modifying /etc/sshd_config

The fourth depends on which firewall software you're using.


Solution 5:

As said above, changing a version number is

  1. Hard to do
  2. Security through obscurity
  3. Not flexible

What I suggest is implementing Port Knocking. It's a fairly simple technique to hide anything that is running on your server.

Here is a good implementation: http://www.zeroflux.org/projects/knock

This is how I implemented it on my servers (other numbers) to open SSH only to the people who know 'the secret knock':

[openSSH]
    sequence = 300,4000,32
    seq_timeout = 5
    command = /opencloseport.sh %IP% 2305
    tcpflags = syn

This will give a 5 sec window in which the 3 SYN-packets need to be received in the right order. Choose ports that are far from each other and not sequential. That way, a portscanner can't open the port by accident. These ports do not need to be opened by iptables.

The script I call is this one. It opens a particular port for 5 seconds for the IP sending the SYN-packets.

#!/bin/bash
/sbin/iptables -I INPUT -s $1 -p tcp --dport $2  -j ACCEPT
sleep 5
/sbin/iptables -D INPUT -s $1 -p tcp --dport $2  -j ACCEPT

It can be a real pain to send the SYN-packets so I use the script to connect to the SSH of my servers:

#!/bin/bash
knock $1 $2
knock $1 $3
knock $1 $4
ssh $5@$1 -p $6

(It's pretty obvious what is happening here...)

After the connection is established, the port can be closed. Hint: Use Key-authentication. Otherwise you need to be very fast to type your password.

Tags:

Linux

Security