rpm version-release in Version strings of OpenSSH, Apache etc?
Pekka Savola
pekkas at netcore.fi
Fri Sep 26 17:11:27 UTC 2003
On Fri, 26 Sep 2003, Vincent wrote:
> On Fri, 26 Sep 2003 09:21:45 -0600
> Stephen Smoogen <smoogen at lanl.gov> wrote:
>
> > However security through obscurity is not security. The people who are
> > looking for 'unpatched' servers are going to run the 4 line hack anyway
> > with their autoscripts.
>
> Agreed, Obscurity does not work for most things but what if that 4 line
> script doesn't work? They'll know exactly what to look for. Not to mention
> alot of the people who want in do not want flags going off everywhere so they
> enumerate services first then apply exploits based on that information. It's
> kind of a moot point in this example though because I'm pretty sure that the
> SSH protocol needs valid banners to work correctly anyway.
You're already in pretty deep shit if you're worried about someone
exploiting your SSH services and they get to see the banner. This means
you haven't firewalled away the port or put in TCP Wrappers for it.
Banners are used to enable bug workarounds for broken versions, so they're
pretty useful.. :-)
There is an option in OpenSSH so you can set the Version string yourself
if you want, btw.
So, IMHO, version strings could seem quite handy. AFAIK, Debian already
does this, and FreeBSD as well. (These two examples from OpenSSH.)
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the fedora-devel-list
mailing list