How to hide web server name and openssh version on linux when scanning server ports?
Solution 1
For the OpenSSH try following:
me@lappy:~# ncat 192.168.0.222 22
SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
Cool no exploits or anything but lets edit it just for fun. First lets make a copy of sshd to work with.
root@mohsen-desktop:~# mkdir tmp
root@mohsen-desktop:~# cd tmp
root@mohsen-desktop:~/tmp# cp /usr/sbin/sshd .
Now let modify it.
root@mohsen-desktop:~/tmp# hexedit sshd
Ok a blue window should have popped up, now look at the bottom and notice the commands. We want to use search so press control+w make sure "Search for text string" is in white hit enter. Now type "OpenSSH" hit enter and you will be directed to the exact part you need to modify.
It will look like this, just change everything that is in red to 0 and you will end up with what i have below. If you want to type something else Press TAB and type what you want into the ascii part, just remember there is no backspace.
00053FE0 6E 64 2D 6C 69 6E 65 00 4F 70 65 6E 53 53 48 5F nd-line.OpenSSH_
00053FF0 35 2E 31 70 31 20 44 65 62 69 61 6E 2D 33 75 62 5.1p1 Debian-3ub
00054000 75 6E 74 75 31 00 25 73 2C 20 25 73 0A 00 4B 52 untu1.%s, %s..KR
It should now look like this.
00053FE0 6E 64 2D 6C 69 6E 65 00 4F 70 65 6E 53 53 48 00 nd-line.OpenSSH.
00053FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00054000 00 00 00 00 00 00 25 73 2C 20 25 73 0A 00 4B 52 ......%s, %s..KR
When your done hit control+x to save it, and give it a launch, remember it requires the exact path.
root@mohsen-desktop:~/tmp# /root/tmp/sshd
root@mohsen-desktop:~/tmp# ncat localhost 22
SSH-2.0-OpenSSH
Just make sure you can connect to it and your good to go.
killall sshd
rm /usr/sbin/sshd
mv /root/tmp/sshd /usr/sbin/
For hide web server name you should compile source apache and edite conf file in it.
Solution 2
I don't believe you can hide the server type from NMap, as it's clever enough to detect software type from handshake negotiation, fault handling etc. As for OpenSSH, from the FAQ:
2.14 - Why does OpenSSH report its version to clients?
OpenSSH, like most SSH implementations, reports its name and version to clients when they connect, e.g.
SSH-2.0-OpenSSH_3.9
This information is used by clients and servers to enable protocol compatibility tweaks to work around changed, buggy or missing features in the implementation they are talking to. This protocol feature checking is still required at present because the SSH protocol has not been yet published as a RFC and more incompatible changes may be made before this happens.
If you really want to patch SSH to prevent version display, here's how to do it (personally untested), and here's a description of your mentality (security through obscurity, pros and cons) and here's why I think it's no good and why Bruce Schneier thinks it's good sometimes and bad the rest of the time.
Solution 3
The sshd version string is not configurable at runtime. You can change it by recompiling OpenSSH after modifying the SSH_VERSION #define, or where it is used in sshd.c :
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
SSH_VERSION, newline);
Solution 4
It's not a configurable option. In both cases you would need to make changes to the source code.
OpenSSH relies on the version banner in order to negotiate certain features and quirks between the server and client. You can find older patches for such changes like this which you may be able to adapt for newer releases.
For Apache there has been some discussion in the past and more recently about an Off option to ServerTokens which would remove the product name. But I believe it's been vetoed each time. Again you may wish to use or adapt some available patches but you would be out there on your own.
Frankly you would remain more secure, and indeed more reliable than deviating from the release, by just ensuring that the software gets updated when required. Hiding this information might put off some drive-by attackers. But it won't do you any good against blind scripted or more determined attacks.
Related videos on Youtube
00 : 58
18 : 49
23 : 00
05 : 17
05 : 51
M.Rezaei
I can programming with this language : c,c++,c#.net,vb,vb.net,python,perl,j2me,php,javascript,html,delphi. When i want to write program, I ask one question form myself, what program language is better for this work, and then write program with the best language.
Updated on September 17, 2022Comments
-
M.Rezaei almost 2 years
How to hide web server name and openssh version on linux when scanning server ports?
when i nmap'ed(nmap -A -T4 192.168.40.12) ip server from the outside, the one shows:
Starting Nmap 4.62 ( http://nmap.org ) at 2009-11-05 14:11 IRST LUA INTERPRETER in nse_init.cc:763: /usr/share/nmap/scripts/robots.nse:4: module 'http' not found: no field package.preload['http'] no file '/usr/share/nmap/nselib/http.lua' no file './http.lua' no file '/usr/local/share/lua/5.1/http.lua' no file '/usr/local/share/lua/5.1/http/init.lua' no file '/usr/local/lib/lua/5.1/http.lua' no file '/usr/local/lib/lua/5.1/http/init.lua' no file '/usr/lib/nmap/nselib-bin/http.so' no file './http.so' no file '/usr/local/lib/lua/5.1/http.so' no file '/usr/local/lib/lua/5.1/loadall.so' SCRIPT ENGINE: Aborting script scan. Interesting ports on 192.168.40.12: Not shown: 1710 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh **OpenSSH 3.9p1** (protocol 1.99) 53/tcp open domain dnsmasq 2.47 80/tcp open http **Apache httpd** 222/tcp open ssh **OpenSSH 3.9p1** (protocol 1.99) 8081/tcp open http CherryPy httpd 2.3.0 MAC Address: 00:10:F3:0F:59:B7 (Nexcom International Co.) Device type: firewall Running: IPCop Linux 2.4.X OS details: IPCop firewall 1.4.10 - 1.4.15 (Linux 2.4.31 - 2.4.34) Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.032 secondsI modify httpd.conf and change two line
ServerSignature Off ServerTokens Prodand restart apache server but it still shows me apache name
Could any one help me on this!
-
romandas about 14 yearsIt would be better just to make sure you have the latest stable version of Apache than go through this much trouble trying to hide the service name. Even without it, good scanners can detect what the software is (particularly something well-used like Apache or IIS) just based on how it responds to requests.
-
-
SeanDowney almost 12 yearsWhile it is a hack, it does answer the question
-
Nehal J Wani about 9 yearsCould you please update the first link? It throws a 404.
-
c4f4t0r over 7 years@Sergey Kuznetsov setting the banner for sshd doesn't help, because an attacket can see the version, using ssh -vvv name_of_your_server.
