Hi folks: I know this is trivial stuff, but I want to remove banners used by all listening daemons. This is good for security, because at least it's annoying for hackers who mostly based their attacks in version numbers appearing in daemon banners. For instance, on SuSE 6.4, running SMTP: 220 machine_name.domain ESMTP Sendmail 8.9.3/8.9.3/SuSE Linux 8.9.3-0.1; Thu, 26 Oct Is it possible to change banner without having to re-compile the Sendmail sources??? I've had a look to /etc/sendmail.cf. There is an entry which contains "DZ8.9.3/SuSE Linux 8.9.3-0.1". So I suppose there will be no problems if I change it to any string I want. But... could I remove the "Sendmail" string or simply remove the banner completely and change to "220 machine_name.domain Microsoft Mail Server"??? I think I'd have to recompile Sendmail... (not the db's, I'm referrering to the sendmail source code)- The question extends to any other daemons like Proftpd, Qpopper, etc.. Is it easy to achieve it? Thx a lot. PS: Banners are very important to hackers (or at least script-kiddies) wanting to penetrate your machine. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Thu, Oct 26, 2000 at 12:46:27PM +0200, RoMaN SoFt / LLFB!! wrote:
The question extends to any other daemons like Proftpd, Qpopper, etc.. Is it easy to achieve it?
Yes, since you can recompile the source. You could also use something like this: /etc/hosts.deny: ALL: ALL: spawn ( echo attempt from %h %a to %d at `date` | tee -a /var/log/access.log | mail -s "illegal access %h to %d" jurriaan@middle.of.nowhere ) : twist /bin/cat /usr/local/etc/access_message /usr/local/etc/access_message: 220 middle.of.nowhere FTP server (Version 0.0.01Alpha with very special bugs) ready.... Just Kidding! This attempt has been logged. Feel free to depart at your earliest convenience. However, I may have been reading too many BOFH stories :-) Good luck, Jurriaan -- BOFH excuse #227: Fatal error right in front of screen GNU/Linux 2.2.18pre15 SMP 2x1117 bogomips load av: 0.98 1.05 1.09
/etc/hosts.deny: ALL: ALL: spawn ( echo attempt from %h %a to %d at `date` | tee -a /var/log/access.log | mail -s "illegal access %h to %d" jurriaan@middle.of.nowhere ) : twist /bin/cat /usr/local/etc/access_message
/usr/local/etc/access_message: 220 middle.of.nowhere FTP server (Version 0.0.01Alpha with very special bugs) ready.... Just Kidding! This attempt has been logged. Feel free to depart at your earliest convenience.
However, I may have been reading too many BOFH stories :-)
Ugh. Double Ugh. Triple Ugh. Class, what did Mr. Juriaan do wrong? 1) spawn-ing off shell processes, this leads to a possible denail of service if I flood his port 21 with connections (using octopus for example). 2) sending email for each connection attempt. 10-20 minutes of packet flooding to port 21 would kill his server 3) using twist to spawn off a shell command to print a banner, when tcp_wrappers has a built in facility to print banners. My weekly column will actually be covering this issue on Nov 15th. As far as replacing banners goes, most attackers will just go for a non-subtle approach and try their exploit against every machine, not caring if it works or not, chances are they'll get at least a few. There are much more intelligent things to do with banners/tcp_wrappers.
Good luck, Jurriaan
-Kurt
[...]
Is it possible to change banner without having to re-compile the Sendmail sources??? I've had a look to /etc/sendmail.cf. There is an entry which contains "DZ8.9.3/SuSE Linux 8.9.3-0.1". So I suppose there will be no problems if I change it to any string I want. But... could I remove the "Sendmail" string or simply remove the banner completely and change to "220 machine_name.domain Microsoft Mail Server"??? I think I'd have to recompile Sendmail... (not the db's, I'm referrering to the sendmail source code)-
I think you'll have to recompile sendmail to do this. However, I recommend using Postfix as SMTP daemon - it is belived to be more secure than sendmail. Postfix (main.cf): smtpd_banner = $myhostname ESMTP Server ready
The question extends to any other daemons like Proftpd, Qpopper,
Proftpd (proftpd.conf): ServerIdent on "FTP Server ready" DeferWelcome on QPopper: Recompile with ./configure --enable-shy
PS: Banners are very important to hackers (or at least script-kiddies) wanting to penetrate your machine.
I totally agree... -- Ørnulf Nielsen Linux Communications AS
participants (4)
-
Kurt Seifried -
RoMaN SoFt / LLFB!! -
thunder7@xs4all.nl -
Ørnulf Nielsen