rpm version-release in Version strings of OpenSSH, Apache etc?

[Pekka Savola]

On Fri, 26 Sep 2003, Vincent wrote:
> > You're already in pretty deep shit if you're worried about someone
> > exploiting your SSH services and they get to see the banner.  This means 
> > you haven't firewalled away the port or put in TCP Wrappers for it.
> 
> Yeah I only have a selected few with SSH access so access is pinched with those
> but there are times when I'll be moving to a machine the host address is not
> known untill I get there. So open for all happens sometimes. There are a few
> things I can do to side step this but Its not completly written yet.

Right, of course people need login servers and such which are open.

However, you will keep special attention to those boxes, keep them 
up-to-date, even more so than other "protected" servers.

So, if your SSH version is always up-to-date, it doesn't give attackers 
anything even if you release the release number.

> > Banners are used to enable bug workarounds for broken versions, so they're 
> > pretty useful.. :-)
> > 
> > There is an option in OpenSSH so you can set the Version string yourself 
> > if you want, btw.
> 
> If you mean setting the banner in sshd config that wont work. it is more like
> an MOTD. if you netcat to 22 it will still spit everything out same as before.
> If you ment something else, let me know. I'd like to try it out.

Sorry, it seems I was misremembering this.  Someone must have proposed it
but it had been rejected.  I thought you could forge the version number
completely with a config option.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings