ssh banner available

Answered Question
Jul 7th, 2009
User Badges:

Hi All


We've just had a security survey carried out and one of the issues raised is that my routers and pix's both reveal the ssh version number, if you telnet to them on port 22. Apparently this could aid an attacker by providing information on server version and vendor.


eg

telnet router.com 22

SSH-1.99-Cisco-1.25


Any ideas as to how to prevent this?


Thanks in advance

Chris

Correct Answer by Danilo Dy about 7 years 11 months ago

Remote administration of network devices should only permit IP Address of authorized personnel and use encrypted connection across untrusted network (e.g. internet). An ACL should be in place to permit only IP Address of authorized personnel. Knowing the version is irrelevant as they are the administrator of the device.


If you don't put ACL to permit only IP Addresses of authorized personnel, even if the version is NOT shown, it doesn't matter to hackers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Danilo Dy Tue, 07/07/2009 - 01:07
User Badges:
  • Blue, 1500 points or more

Remote administration of network devices should only permit IP Address of authorized personnel and use encrypted connection across untrusted network (e.g. internet). An ACL should be in place to permit only IP Address of authorized personnel. Knowing the version is irrelevant as they are the administrator of the device.


If you don't put ACL to permit only IP Addresses of authorized personnel, even if the version is NOT shown, it doesn't matter to hackers.

CHRIS PAGE Tue, 07/07/2009 - 04:45
User Badges:

That's a very good point.


now all i have to do is find out what idiot put this line in my config:-


ssh 0.0.0.0 0.0.0.0 outside


Which certainly should not have been there. Now i've taken that out all is fine.


Thanks very much for your help.

srue Tue, 07/07/2009 - 05:29
User Badges:
  • Blue, 1500 points or more

"SSH-1.99-Cisco-1.25", if that output is really from your equipment, then it is currently supporting both SSH v1 and v2. You should at least hard code it to only respond via v2.

"ip ssh version 2" for IOS.

"ssh version 2" for ASA.

CHRIS PAGE Tue, 07/07/2009 - 05:56
User Badges:

Another good point. Thank you I have now done that.



Actions

This Discussion