(no subject)

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Mar 6 20:56:28 PST 2004

On Fri, 2004-03-05 at 15:32, Christopher James Coleman wrote:
> On Fri, 5 Mar 2004, Michael Labuschke wrote:
> > Proftpd  it does not say its version number in the welcome msg anymore.
> If you have to use plain ftp, use vsftpd. I have read through the code (
> though I should not be considered as any sort of authority ), and it
> ranges from worrying ( wu-ftpd ) through to really good ( vsftpd ).

People who have ssh shouldn't bother using ftp anymore.  Scp more or
less deprecates it, and there's also an sftp service unrelated to a
"classic" ftpd (but which still works the same from a user's
perspective) that one can use that's part of OpenSSH.

> > OpenSSH changed version to "SSH_3.2.3"
> This may `trick' people into thinking you are running a version. However,
> you have obviously missed that SSH banners are used to help `quirks' mode
> -- that is to get around possible implementation faults in different
> versions of the software for SSH

Now wait, this argument isn't as simple as it would first appear.  The
quirks checking only matters if you're connecting to the thing from a
crappy version of someone else's SSH client or one that is _very_ old. 
If this daemon is only to be used by a few _explicitly authorized_
people whose systems are all updated, then _to hell_ with whether or not
the quirks checks can function for now.  The fallback behaviour for
OpenSSH is to assume it's talking to another identical version of
OpenSSH (and it's been a few years since this would actually matter).
I don't believe in security through obscurity, but really, what specific
codebase you're using is no one's business but the authorized system
administrators, and this technique is better justified as an information
leakage fix.

Although I will say that rather than even bothering to put a fake banner
up (in the case of this), just leave it up to guessing and snip out the
entire version qualifier, leaving the daemon emitting "SSH-2.0-OpenSSH"
or "SSH-2.0" only.  Someone using tcp_wrappers to restrict access to the
port (and you damn well better be!) will often be better served by
looking into the banners option it has.  A simple text file containing
"SSH-1.5-OpenSSH_2.3" can work wonders for screwing with people trying
to scan for vulnerabilities.  This is also not obscurity--it's enticing
someone to tip their hand so you can discern a horizontal scan from a
premeditated intrusion attempt.  

> But still, it is nice to see someone actively working on projects. I am
> sure people in this mailing list can give more, well, worthwhile tasks to
> be getting on with ;).

Yeah, find all the little extra things that one's MTA of choice will
still do for remote users even when you think it's just catching and
tossing mail.  I found something I had overlooked that could lead to a
degradation of service issue about six months ago, after having used 
sendmail for _years_.  (This isn't even CERT advisoried to my knowledge,
it's a long shot to begin with because one has to *POUND* the daemon to
make it happen but I still felt foolish that I didn't notice it when I
went through the sources).  ;)
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org

More information about the hlfs-dev mailing list