On Fri, Oct 25, 2002 at 05:19:18PM -0500, DvB wrote: > Isn't this a potential security issue? > > A co-worker recently portscanned my Debian box with the "windows network > scanner," or something like that. One thing I noticed was that the > scanner appeared to somehow come up with the full debian package name of > ssh on my box... if you moused over "ssh" in the list of open ports, a > little tooltip type box would pop up that said "ssh_debian3.4p1-2" or > something like that. A malicious person who's aware of what patches are > or aren't in what debian packages could easily see whether or not my > computer was vulnerable to whatever's wrong with ssh when I get > portscanned.
As for the "how" bit, try:
$ telnet localhost ssh
and your sshd should respond with its banner. That's probably what the
scanner picked up.
IIRC the banner is required to announce what ssh protocol versions it
speaks, but there might be some room for tweaking it.
But ... Changing the banner to something more generic is merely security
by obscurity - once a vulnerability is known and abused, why would an
attacker pay *any* attention to the banner? Just try the exploit!
Besides: The security team has back-ported some few fixes to debian's
ssh, where it would be wrong to change the banner (apart from
incrementing the debian version number). So the version number does not
necessarily reflect the vulnerabilities present.
--
Karl E. Jørgensen
[EMAIL PROTECTED] http://karl.jorgensen.com
==== Today's fortune:
Don't vote -- it only encourages them!
msg09149/pgp00000.pgp
Description: PGP signature
