[wellylug] suppressing sshd connect string

Sat Sep 11 11:09:42 NZST 2004

On Sat, 11 Sep 2004 03:20:16 +1200, you wrote:

>In message <ski2k018oei8on1ndbrs3ao8d57dgfr74l at 4ax.com>, Enkidu writes:
>>I'd disagree. The very first thing that the script kiddie's program
>>sees is the banner. Then he doesn't have to write his program to find
>>the right hols.
>
>1.  Script kiddies don't write programs; that's the point of the term.
>
>2.  Script kiddies run the exploit attempt anyway, the version string 
>    is irrelevant.  They'll run windows exploits against non-windows
>    systems, etc, so they're not going to let a mere mismatched version
>    string put them off.  They're not even going to check the version
>    string.  The motto of a script kiddie is "it might work anyway".
>
>3.  Either you have a vulnerable service or you don't.  If you do, then
>    you should patch it.  If you don't, it doesn't really matter if they
>    know which version it is.
>
>And finally, as someone else said, if you care about people seeing what
>services are being offered, then you need some other form of security,
>such as port knocking, or firewalling services down to trusted hosts
>(eg, many of my systems are run with ssh only allowed in from trusted
>management hosts).
>
>Ewen
>
>PS: Alas the ssh version is part of the protocol negotiation now due 
>    to some unfortunate implementation choices when the protocol went
>    from version 1.0 to later versions, along with a good helping of
>    politics (ssh went non-free, openssh came along later, etc).

1. Yes, I know but someone has to write the exploit in the first
place.

2. This demostrates the laziness of script kiddies. If the writer
knows of exploit X that works if he get *this* string back, he is not
likely to code multiple exploits. He is not targetting particular
machines, normally. He is scanning hundreds of machines. I've not
checked but I'd suspect that a particular script is used for a
particular exploit. Are there multi-exploit scripts out there?

3. I'd say a big Hah! to this. In my RedHat days I was root-kitted
through an SSH1 bug on a system that I kept up to date almost on a
daily basis. However, what you say is at least four-nines true.

If someone tries to connect to my machine on the port that I am
listening for ssh connections, be it the default or one I've chosen,
then I assume that he wants to talk ssh. Why do I have to tell him
that it is ssh and in particular this particular version? OK, it's in
the protocol.

A legitimate user doesn't care about the version. It's only of use to
script writers and users. 

My last comment on the subject.... I think it's been done to death by
now!

Cheers,

Cliff