Operating System - HP-UX
1748286 Members
3713 Online
108761 Solutions
New Discussion

Re: Version disclosure how to avoid it

 
chindi
Respected Contributor

Version disclosure how to avoid it

Hi ,

 

 

Information disclosure in banner grab reveals sensitive data, such as technical details of the web server, environment, or user-specific data. This sensitive data may be used by an attacker to exploit the target web application, its hosting network, or its users. This helps an attacker to launch target specific attacks.

 

We need to disable telnet ad ftp verisons , how do we do it ??

 

 

9 REPLIES 9
Torsten.
Acclaimed Contributor

Re: Version disclosure how to avoid it

Better to disable telnet and ftp anyway. Use ssh and scp or sftp instead.


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
chindi
Respected Contributor

Re: Version disclosure how to avoid it

Hi ,

 

We already have disabled telnet , but when we check from our local network say through telnet 10.xx.xx.xx  22 the ssh version must not be displayed .

 

telnet 10.xx.xx.xx  22

OpenSSH 4.5p1sdtpfilecontrol-v1.1hpn12v14

Torsten.
Acclaimed Contributor

Re: Version disclosure how to avoid it

Look for a "banner" optin in "/etc/ssh/sshd_config".

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
chindi
Respected Contributor

Re: Version disclosure how to avoid it

Hi ,

Its nt working

 

I tried Banner /etc/issue 

/etc/issue contents as "TEST"

 

when i took a ssh session it showed up as ;

 

login as: root
TEST
Using keyboard-interactive authentication.

 

 

Its not my reqmnt.

My reqmnt is when am doing telnet to check port from a machine to that particular hpux 11iv2 server ,

telnet 10.xx.xx.xx 22

 

It must not display ssh version , only a blank screen must appear .

Torsten.
Acclaimed Contributor

Re: Version disclosure how to avoid it

Not /etc/issue but the ssh_config file!

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
chindi
Respected Contributor

Re: Version disclosure how to avoid it

Hi Torsten ,

 

grep "Banne" /opt/ssh/etc/sshd_config

 

Banner /home/test

 

cat /home/test

test

 

and again when am trying telnet 10.xx.xx.xx 22  from my local machine to this server am able to get the ssh version .

 

 

chindi
Respected Contributor

Re: Version disclosure how to avoid it

Hi ,

 

We need to change open ssh banner here.

 

Need to edit this file as ;

Read in a forum .

 

root #/ >vim /opt/ssh/src/ssh/version.h
/* $OpenBSD: version.h,v 1.48 2006/11/07 10:31:31 markus Exp $ */

#define SSH_VERSION "OpenSSH_4.5"

#ifdef HP_SFTP_UMASK_FIX
#define SSH_PORTABLE "p1+sftpfilecontrol-v1.1"
#else
#define SSH_PORTABLE "p1"
#endif /* HP_SFTP_UMASK_FIX */

#ifdef HP_HPN_PATCH
#define SSH_HPN "-hpn12v14"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
#else
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
#endif /* HP_HPN_PATCH */

#ifdef HP_VERSION_STRING /* Here: for hp ssh version */
#include "hp_version.h"
#endif /* HP_VERSION_STRING */

chindi
Respected Contributor

Re: Version disclosure how to avoid it

How to disable SSH version and Operating System banner ?

 

#telnet localhost 22

OpenSSH 4.5p1sdtpfilecontrol-v1.1hpn12v14
 

after a lot of research i have found that we cannot and should not disbale it.

since it is reqd for clients who connect this server.

chindi
Respected Contributor

Re: Version disclosure how to avoid it

Hi Matti / Dennis ,

 

Waiting for your suggestions.