[wellylug] suppressing sshd connect string

[Nigel Roberts]

On Sat, 11 Sep 2004 at 11:09:42 +1200, Enkidu wrote:
> 1. Yes, I know but someone has to write the exploit in the first
> place.

Yes, but programmers are lazy too. They won't add code to the exploit
that will check the ssh version if they can just add a line of text to
the readme/comment saying "This only works on version x".

> 2. This demostrates the laziness of script kiddies. If the writer
> knows of exploit X that works if he get *this* string back, he is not
> likely to code multiple exploits. He is not targetting particular
> machines, normally. He is scanning hundreds of machines. I've not
> checked but I'd suspect that a particular script is used for a
> particular exploit. Are there multi-exploit scripts out there?

The idea is that script kiddies collect ssh exploits for all versions,
and then run them all against every host they can get to. That's the
the easiest way to get a result, it's not like they care about
efficiency or network utilisation. It's like spam in this respect.

> 3. I'd say a big Hah! to this. In my RedHat days I was root-kitted
> through an SSH1 bug on a system that I kept up to date almost on a
> daily basis. However, what you say is at least four-nines true.
> 
> If someone tries to connect to my machine on the port that I am
> listening for ssh connections, be it the default or one I've chosen,
> then I assume that he wants to talk ssh. Why do I have to tell him
> that it is ssh and in particular this particular version? OK, it's in
> the protocol.
> 
> A legitimate user doesn't care about the version. It's only of use to
> script writers and users. 

What? A legitimate user DOES care about the version, becuase if it's
not correct, then there's a good chance that it won't actually
work. The string is there to get around certain issues with
compatibility between versions.

> My last comment on the subject.... I think it's been done to death by
> now!

Yes well, I'm can't hear any fat ladies warming up yet...

Nigel