http://www.security-forums.com/viewtopi … ht=#129555
Displaying service version information might look cool, but it is definately not a good idea. There are numerous malicious folks out there that will use this version information to search for the proper exploits to gain access to your machine.
Retrieving version information for a running service is very simple. A simple telnet to the service will do the trick. Try it out on your local SMTP server. Wait for a zero-day exploit for that specific service and *bang* you own it…. or you are owned.
Without the service version information, the bad guy can only guess, and will have to try multiple times, possibly revealing himself. This, in a way, will buy time and prevent certain bad things from happening, but it doesn’t say you no longer require to update the services when they are vulnerable.
This document describe the modifications which need to be made to remove version information from services like OpenSSH, sendmail, etc. Some of these require simple modifications to a configuration-file, while others need to have some source-code modified.
It will focus on the following services:
* OpenSSH (ssh)
* Sendmail (smtp)
* UW ipopd imapd (pop2, pop3 and imap)
* Apache 1.3 (http/https)
* Apache 2.0 (http/https)
* PHP4
* mod_ssl (https)
* Bahamut IRCd
Possibly more will be added. If you feel something is missing or you have any other useful additions to this document, just drop me a line.
OpenSSH
Modifying the version of this open source SSH implementation has become quite simple. Within the source-tree of OpenSSH locate the following file:
Code:
openssh-3.x/version.h
This will say something like this:
Code:
#define SSH_VERSION “OpenSSH_3.x”
This value be changed into anything of your liking:
Code:
#define SSH_VERSION “SSH_x.x”
Recompile and reinstall the binaries, making proper precautions not to lock yourself out if logged through the service you want to upgrade. Telnet to the port 22 to check out your brand new banner.
Sendmail
Sendmail doesn’t require no modifications to source-code whatsoever. A facility for modifying the banner is present in the configuration-file (sendmail.cf).
Open the file /etc/mail/sendmail.cf (or another location, depending on your distribution or how you installed it). There is a good chance the option is already in there, but commented out:
Code:
#O SmtpGreetingMessage=$j Sendmail 9.x.x / 8.x.x; $b
The $j will be repaced by the status-code and server identification (i.e. “220 smtp.domain.com ESMTP”). Some mail-clients require this; a server-error might occur otherwise. The $b will be replace by the built-date. You could change this to:
Code:
O SmtpGreetingMessage=$j Mailserver; Thu, 1 Jan 1970 01:00:00
Restart the sendmail daemons and you are ready to go. Telnet to port 25 to see your new banner.
UW ipopd / imapd
These are part of PINE, and deliver POP2, POP3 and IMAP services. To strip version information from these, the source-code needs to be modified. Within the PINE source-tree locate the following files:
Code:
pine4.xx/imap/ipopd/ipop2d.c
pine4.xx/imap/ipopd/ipop3d.c
pine4.xx/imap/imapd/imapd.c
Modifying these is quite straight-forward. In all these files there is a line which says:
Code:
char *version = “2003.xx”;
This can be changed into anything you want:
Code:
char *version = “a.b”;
Recompile and install the binaries into their required location and you are ready to go. Note that these services could be in use, so the operating system might refuse to overwrite them. Kill the services and retry.
Apache 1.3
For Apache 1.3.x you need to locate the following file within the Apache source-tree:
Code:
apache-1.3.x/src/include/httpd.h
In that file, locate the lines that say something like this:
Code:
#define SERVER_BASEPRODUCT “Apache”
#define SERVER_BASEREVISION “1.3.29”
This can be changed into anything you want:
Code:
#define AP_SERVER_BASEPRODUCT “Webserver”
#define SERVER_BASEREVISION “a.b.c”
Recompile the server and install the binaries.
Note that, for different modules that add version information (like PHP and mod_perl) you have to modify those as well. Look below for how to remove it from PHP4.
Apache 2.0
For Apache 2.0.x you need to locate the following file within the Apache source-tree:
Code:
httpd-2.0.x/httpd/include/ap_release.h
In that file, locate the lines that say:
Code:
#define AP_SERVER_BASEPRODUCT “Apache”
#define AP_SERVER_MAJORVERSION “2”
#define AP_SERVER_MINORVERSION “0”
#define AP_SERVER_PATCHLEVEL “47”
Modify these into anything you want.
Code:
#define AP_SERVER_BASEPRODUCT “Webserver”
#define AP_SERVER_MAJORVERSION “a”
#define AP_SERVER_MINORVERSION “b”
#define AP_SERVER_PATCHLEVEL “c”
Recompile the server and install the binaries. Telnet to port 80 to do a simple GET / request to see your brand new service banner.
PHP4
Changing the version information for PHP4 requires modifications to source-code as well. If you have not yet compiled it, skip some paragraphs.
If you have already configured and compiled it, locate the following file:
Code:
php-4.x.x/main/php_version.h
Locate the line:
Code:
#define PHP_MAJOR_VERSION 4
#define PHP_MINOR_VERSION 3
#define PHP_RELEASE_VERSION 5
#define PHP_EXTRA_VERSION “”
#define PHP_VERSION “4.3.5”
The MAJOR, MINOR and RELEASE are numbers. Too bad. Modify it to something like this:
Code:
#define PHP_MAJOR_VERSION 4
#define PHP_MINOR_VERSION 0
#define PHP_RELEASE_VERSION 0
#define PHP_EXTRA_VERSION “”
#define PHP_VERSION “4.X.X”
Remove the following files:
Code:
main/main.o
main/main.lo
sapi/sapi_apache.lo
sapi/sapi_apache.o
sapi/php_apache.lo
sapi/php_apache.o
sapi/mod_php4.lo
libs/libphp4.so
libs/libphp4.a
libphp4.a
Do a make install-sapi. This will re-compile the necessary stuff and install it.
If you have not yet compiled PHP4, within the PHP4 source-tree locate the following file:
Code:
php-4.x.x/configure.in
Locate the following lines:
Code:
MAJOR_VERSION=4
MINOR_VERSION=2
RELEASE_VERSION=5
EXTRA_VERSION=”RC1″
VERSION=”$MAJOR_VERSION.$MINOR_VERSION.$RELEASE_VERSION$EXTRA_VERSION”
The problem here is the versions are numbers, not strings. Only the VERSION string is. It could however be changed to something like this:
Code:
MAJOR_VERSION=4
MINOR_VERSION=0
RELEASE_VERSION=0
EXTRA_VERSION=””
VERSION=”4.X.X”
Compile and install as regular and your new banner will be in effect.
mod_ssl
Just like PHP4, mod_ssl also adds some version information to the Webserver banner.
Also, if you have version-patched Apache, the configure script that came with mod_ssl will fail, because the version-check fails. It will output an error like ‘This was meant for Apache 1.3.29, but you have got Apache a.b.c.”.
To fix this, open the `configure’ script and search for APV a couple of times. When you see the ‘This was meant for Apache 1.3.29’ error, you are there. Just above the “if” insert the following line:
Code:
APV=”1.3.29″
This will fool mod_ssl into thinking it’s ok, and apply the patches.
OK, on to removing version information from mod_ssl. After applying the patches to the Apache source-tree, locate the following file:
Code:
apache-1.3.x/src/modules/ssl/Makefile
Look for these lines:
Code:
SSL_VERSION=-DMOD_SSL_VERSION=\”2.8.15\”
Modify them to something like this:
Code:
SSL_VERSION=-DMOD_SSL_VERSION=\”2.x.x\” -DSSL_PRODUCT_NAME=\”SSL\” -DSSL_PRODUCT_VERSION=\”a.b.c\”
Then, locate this file:
Code:
apache-1.3.x/src/modules/ssl/ssl_util_ssl.h
Locate these lines:
Code:
#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_NAME “OpenSSL”
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_NUMBER
Change them into something like this:
Code:
#define SSL_LIBRARY_NAME “SSL”
#define SSL_LIBRARY_TEXT “SSL/x.x.x”
Do a make all in the src/modules/ssl directory to compile only mod_ssl. Install the binaries by copying libssl.so into your ${APACHEROOT}/libexec directory.
Then, restart your webserver for the new banner to take effect. Check ‘m out with a simple GET / request..
Bahamut IRCd
To remove the version information from the Bahamut IRC daemon, within the source-tree, locate the following file:
Code:
src/s_user.c
Locate the line that uses the RPL_YOURHOST define in the sendto_one( )-call (somewhere around line 855/860).
The RPL_YOURHOST is a define defining a formatting string that says something like “Hi there, . This machine is running Code:
sendto_one(sptr, rpl_str(RPL_YOURHOST), me.name, nick, get_client_name(&me, TRUE), version );
..into something like this:
Code:
sendto_one(sptr, rpl_str(RPL_YOURHOST), me.name, nick, get_client_name(&me, TRUE), “ircd-1.X” );
Edit
2004-04-27; Updated stuff for Apache 1.3.29 / PHP 4.3.5, and removed some typo’s.
2003-11-16; Added the Bahamut IRC daemon hack.
2003-10-05; Added a *working* PHP4 hack.
2003-10-05; Added mod_ssl hack.
_________________
It was fun while it lasted….
Last edited by hugo on Tue Apr 27, 2004 11:59 am; edited 3 times in total
Back to top
View user’s profile Send private message
Dunceor
Frequent Member
Frequent Member
Joined: 05 Sep 2003
Posts: 219
Location: Sweden
Offline
PostPosted: Sun Oct 05, 2003 6:51 pm Post subject: Reply with quote
Well it’s always good to do more stuff so crackers get it tougher to get into your system but some people think that it’s enough just to change the banner of the program and they are safe. dont go down that line..
Security by obscurity is a bad thing.
Otherwise a good text….
/me goes and change some banners…
_________________
http://www.puffy.nu/~dunceor
Back to top
View user’s profile Send private message Visit poster’s website
Weaver
Regular Member
Regular Member
Joined: 04 Jan 2003
Posts: 80
Location: WI, USA
Offline
PostPosted: Wed Oct 08, 2003 11:31 pm Post subject: Reply with quote
I noticed you didn’t have one for qmail…
Props to DJB for a great MTA.
-Weaver
_________________
“Great spirits have always encountered violent opposition from mediocre minds.”
Back to top
View user’s profile Send private message AIM Address
fsb
Frequent Member
Frequent Member
Joined: 08 May 2003
Posts: 117
Offline
PostPosted: Thu Oct 09, 2003 1:39 am Post subject: Reply with quote
I wish I had read that when removing the banners from my server a few months ago. It would have saved hours of cursing. Thanks all the same Hugo, I knew there was a reason you had root on my box.
Back to top
View user’s profile Send private message
z0ulsh1ne
Just Arrived
Just Arrived
Joined: 03 Jul 2003
Posts: 2
Offline
PostPosted: Tue Oct 28, 2003 12:12 am Post subject: Reply with quote
Hi there,
I have tried changing the banner of my proftpd with:
ServerIdent on “Welcome home”
or
ServerIdent off
in my /etc/proftpd.conf – works both fine.
When i connect it shows no more proftp information.
But nmaping still says:
21/tcp open ftp ProFTPD 1.2.8
I know nmap does more tests on a server than just looking at the banner, but how could I hide my version from nmap?
nice day
z0ulsh1ne
ps: wow what a board, reading reading reading learning Very Happy
Back to top
View user’s profile Send private message
ICQ Number
Sgt_B
Trusted SFDC Member
Trusted SFDC Member
Joined: 28 Oct 2002
Posts: 1120
Location: Chicago,IL US
Offline
PostPosted: Tue Oct 28, 2003 5:18 pm Post subject: Reply with quote
Good read hugo! Thanks! Smile
There’s another way to modify Apache banner’s w/o editing source code. Some of you may be uncomfortable editing source code, or don’t have the time or window of opportunity to recompile. In this case you could use the ServerTokens directive in httpd.conf. While this method is very useful it is not as good as hugo’s. Using ServerTokens at its “highest” setting will still show the server type during a banner grab (Apache). This may be acceptable since it also removes any mod banners as well. Still, for full obscurity, you may want to use hugo’s suggestion (combined with ServerTokens maybe?)
Quote:
ServerTokens directive
Syntax: ServerTokens Minimal|ProductOnly|OS|Full
Default: ServerTokens Full
Context: server config
Status: core
Compatibility: ServerTokens is only available in Apache 1.3 and later; the ProductOnly keyword is only available in versions later than 1.3.12
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.
http://httpd.apache.org/docs/mod/core.html#servertokens
_________________
“All that is necessary for the triumph of evil is that good men do nothing.” –Edmund Burke (1729 – 1797)
Back to top
View user’s profile Send private message Send e-mail
vlad902
Frequent Member
Frequent Member
Joined: 04 Jan 2003
Posts: 162
Offline
PostPosted: Tue Oct 28, 2003 8:03 pm Post subject: Reply with quote
FYI for postfix in main.cf it has a line like:
$smptd_banner = $mydomain ESMTP $mailversion
(or something like that). So I’d just change it to:
$smptd_banner = $mydomain SMTP Sendmail 1.7.4 (Windows 98^H^H2000) Laughing Laughing
Back to top
View user’s profile Send private message
uslacker99
Just Arrived
Just Arrived
Joined: 30 Sep 2004
Posts: 1
Online
PostPosted: Thu Sep 30, 2004 8:56 am Post subject: sendmail version –> greeting may not be enough Reply with quote Edit/Delete this post Delete this post
If you’re really paranoid, you will want to:
cat /dev/null /etc/mail/sendmail.hf
or to whatever file your helpfile is set to in /etc/mail/sendmail.cf.
That way, when someone connects to your server and types help, he doesn’t see your version.]]>