On 22/02/16 16:30, Colin Watson wrote: > On Mon, Feb 22, 2016 at 04:19:24PM +0100, Carlos Alberto Lopez Perez wrote: >> So, putting it into other words... The use case was actually to make >> easier to detect vulnerable systems to anyone without access to the >> system by inspecting the DebianBanner version of the SSH servers, right? > > People can do that anyway just by seeing whether their attacks work; > plenty of actual attackers just scattergun their attacks. Hiding the > version doesn't particularly help, I disagree. If some attacker knows that (for example) that openssh-server=1:6.7p1-5+deb8u is vulnerable to any vulnerability, they can find instantly thousands of hosts to attack directly by doing something as easy as this: https://www.shodan.io/search?query=SSH-2.0-OpenSSH_6.7p1+Debian-5%2Bdeb8u1 And if they want to find hosts running on Debian lenny (that probably contains many unpatched vulnerabilities), they can do this: https://www.shodan.io/search?query=SSH-2.0-OpenSSH_5.1p1+Debian-5 So, this leak on information helps a *lot* to any attacker targeting specific versions of unpatched software. Attackers usually don't start trying to probe exploit after exploit. That is silly. They are probably going to be detected by some IDS or something like that. The first thing an attacker is going to do is to gather information about what you are running and which versions. And this default is helping them a lot. > but giving network administrators the > ability to efficiently shut off access to vulnerable systems can do. > I think that any network administrator having to do this to secure their own network probably has a bigger problem that insecure hosts on their network. In any case I'm not going to argue about this. We are talking about a default. How much network administrators have this need? And how many Debian users are leaking information about their insecure machines making them much more exposed to attackers targeting old versions of the software they run? So, I think the default should be to have this option to be No. And the burden should be on the network administrator of your use case to tell users to enable this option or he will disconnect them.
Attachment:
signature.asc
Description: OpenPGP digital signature