My apologies... pressed a wrong button or two...and sent that last mail before i was done... And didn't even remove the unnecessary quotes... sorry.
> > Sure. I am familiar with both the exploits and the scripts. But do I let > ssh in through my firewall from anywhere? Certainly not. > > The point here is that a good firewall config, combined with an IDS of > some sort and some good common sense, is a much better way of protecting > your stuff than suppressing a few banners and pulling the security > blanket over your eyes. That is true. But Jay was criticizing the utility of banner munging with or without those additional measures being taken. > And *that* is what I have been trying to say. Sorry if I was not clear > enough. And I still stand by my claim that the vast majority of script > kiddies' tools ignore banners and just try the exploits. No. Uh. I will explain this in a more simplistic manner. Your and Jay's assumption from the beginning is that the crackers are out to get *your* site on a personal basis. And it is not so. Most will rather find a system that is easier to crack rather than waste time on yours. Unless you have got competitors that are playing dirty, in which you would rather want to setup a honeypot instead, collect evidence and prosecute them legally. Or you have got something really really important on your servers. But mostly it is not the case, for most of the hosts out there. And we are talking about them. Assume for a minute that you are a scriptkiddy. A new exploit comes out and you have managed to lay your hands on it. It is, as quite often exploits are, supposed to work only with certain versions of a certain OS/software. The current fad going around is to not just deface the sites. They want to root the boxes, as as to speak, and either launch a DDOS attack using something like trin00 or just use the system to compromise other systems. Net is reasonably huge. And you can't spend next one year trying *every* single host out there, while typing the exploit by hand. For heaven's sake, there are millions of those. So what are you gonna do ? You code a script, or rather find one, that simply tries to connect to the appropriate port. So assuming that there is this new cool exploit for apache that not many yet know about, and you figure that if you are able to connect to port 80 it is a webserver. But that still returns pretty much 90% of the hosts. Your exploit works with just apache and that too a particular version. So what do you do ? Are you going to try all the list one by one ? You would rather get a script to grab the banner and make a list of all the hosts matching your criterion. Now this is a much smaller list and something that is more sureshot. And this is the one you are going to go for. The assumption the crackers make is that there are going to be enough systems available that are running the old unpatched softwares/OS, and it is not very smart to try an apache exploit on a host running IIS and waste time executing all 10 steps of the exploit when you could have easily dropped the system off your list in the first step itself. Sadly there are many such hosts out there. And this is the current reality. So do you want to present your system with a "Hey! I am a target!" banner or would you rather maintain a low profile ? Neither HTTP nor ftp servers are required to hand out any correct info in way of banner, to function correctly. And openssh only requires the announcement of the protocol version. You can substitute pretty much anything else in the software-version part of the string. And you can change it in the source files. And if someone *is* out to get *you*and you alone* , they will eventually, banner or no banner. But I would assume that unless you are verisign or some online bank or something, that is not generally the case. Only 1 out of 10 crackers would probably target your system specifically. And if you are relying on just StO, the first one of *them* to come along, will get you. So taking additional measures is definitely required. Relying on just plain StO is definitely silly. But giving out info other than what is necessary, is also plain stupid and asking for trouble. And if Jay and you disagree on that, why not mail the addresses of your hosts and their root passwords on this list ? Btw, BIG question. What are you running if not ssh ? Not telnet I hope ? Regards, D
