> How do I prevent Openssh telling which version is running? > Likewise with sendmail? (I know you'll tell med to use another MTA..). > > Surely it's a problem with my eyes, haven't found out yet, though.
Part of the OpenSSH spec requires you to tell the remote end what version you are running, i.e. so it knows what the capabilities are. You could pretend to run a different version but may run into trouble. As for sendmail I can still figure out what version you have based on error codes/etc. Fiddling with banners is cute but largely useless since few mass attackers bother to scan anymore, they simply shotgun out the attacks and see what comes back. You will still be running an insecure version of whatever software if you do not regularily patch it/etc. Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/