Re: ssh broadcasts package name???
"imasu" == imasu <DvB> writes:
imasu> Isn't this a potential security issue? A co-worker
imasu> recently portscanned my Debian box with the "windows
imasu> network scanner," or something like that. One thing I
imasu> noticed was that the scanner appeared to somehow come up
imasu> with the full debian package name of ssh on my box... if
imasu> you moused over "ssh" in the list of open ports, a little
imasu> tooltip type box would pop up that said "ssh_debian3.4p1-2"
imasu> or something like that. A malicious person who's aware of
imasu> what patches are or aren't in what debian packages could
imasu> easily see whether or not my computer was vulnerable to
imasu> whatever's wrong with ssh when I get portscanned.
~$ telnet localhost ssh
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
^]
telnet> quit
Connection closed.
~$
So I looked around and found
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=130876&repeatmerged=yes
and it looks like the consensus was you can't keep everyone happy ;-)
I have to say that after reading all that I don't think this is a
particularly risky thing to have. If there was a bug in ssh, people
would find your ssh and attempt to crack it anyway. The only time the
information above would help is if it saved time (i.e. the crack was
computationally intensive). But I'm hardly one to know security.....
Cheers!
Shyamal
Reply to: