Linux ssh Hide OpenSSH Version Banner
Hide OpenSSH Version Banner
Here is a quick and dirty method for hiding some of the banner information advertised by OpenSSH[1]. This article focuses on how to use hexedit[2] to update your sshd binary to reduce information leakage.
Hiding the version information from OpenSSH is not supported by configuration[3]. This may have been added in some versions[4] and could be achieved by compiling your own version from source or switching to port knocking – these approaches are not covered. Be aware that this is only a temporary change to obfuscate what you are running and the following change will revert whenever OpenSSH is updated.
Problem
SSH Servers such as OpenSSH advertise information such as protocol support, build version and host operating system. For example:
$ nc example.local 22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u2
Would be attackers scan the internet[5] and create large databases to search for servers running software with known vulnerabilities[6]. While this may have somewhat legitimate uses such as research into market share of SSH servers or for system admins monitoring their network for machines requiring patches; its generally not a good idea to give away such information freely to the Internet.
You can also use telnet or nmap to snoop on the same information e.g:
$ nmap -A -T4 -p 22 example.local Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for example.local (1.2.3.4) Host is up (0.0044s latency). rDNS record for 1.2.3.4: 1-2-3-4.kram.nz PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u2
$ telnet example 22 Trying ::1... Connected to example. Escape character is '^]'. SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u2
Removing the Banner
Warning: Doing this while connected via SSH is risky as you can lock yourself out. If you are, set up a way to recover the original binary (i.e. set up another way to connect to the machine or a cron job to restore a copy of the original).
These steps use the hexedit[2] tool which is light weight and should be in your package manager. The goal is to write over the existing version string with text of your choice. The instructions are written for Debian / Systemd from steps followed on a Raspberri Pi running Raspbian.
- Check the current banner:
$ echo "Hello" | nc localhost 22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u2 Protocol mismatch.
In this case, the part of the banner we want to hide is “OpenSSH_7.4p1 Raspbian-10+deb9u2” which is broadcasting the versions of my SSH server and operating system. Hiding the protocol is a bit harder and not covered here.
We can see this in the binary too:$ strings /usr/sbin/sshd | grep Rasp OpenSSH_7.4p1 Raspbian-10+deb9u2
- Escalate to a root session:
$ sudo su
- Install hexedit:
# apt-get update && apt-get install hexedit
- Back up your sshd binary and create an editable working copy (as root):
# cp /usr/sbin/sshd /tmp/sshd.backup # cp /tmp/sshd.backup /tmp/sshd.new
- Update the binary with hexedit:
# hexedit /tmp/sshd.new
Press TAB to switch from the HEX are to the ASCII area
Use CTRL+S to bring up the search prompt and search for the text in your banner than you want to hide e.g. ‘OpenSSH_7.4’. You should see something like:0007DA54 61 67 65 6E 74 00 00 00 4F 70 65 6E agent...Open 0007DA60 53 53 48 5F 37 2E 34 70 31 20 52 61 SSH_7.4p1 Ra 0007DA6C 73 70 62 69 61 6E 2D 31 30 2B 64 65 spbian-10+de 0007DA78 62 39 75 32 00 00 00 00 4F 70 65 6E b9u2....Open
Use the arrow keys to highlight the start of the string that you want to update and type your replacement. Be careful to stay within the bounds of the length of the original banner. You can also press TAB to switch back to the HEX area if you wanted to just null out the string setting each word to ’00’.
Your change should look something like:0007DA54 61 67 65 6E 74 00 00 00 48 65 72 65 agent...Here 0007DA60 20 62 65 20 64 72 61 67 6F 6E 73 2E be dragons. 0007DA6C 20 54 75 72 6E 20 42 61 63 6B 00 00 Turn Back.. 0007DA78 00 00 00 00 00 00 00 00 4F 70 65 6E ........Open
Save your changes with CTRL+x and a Y.
- Check if there are any instances that we missed (we expect no output now):
# strings /tmp/sshd.new | grep Rasp
- Update sshd and restart the service for good measure:
# rm /usr/sbin/sshd # cp /tmp/sshd.new /usr/sbin/sshd # systemctl restart ssh.service
- Check that you can still SSH in (otherwise restore the backup or reinstall OpenSSH from your package manager!):
# ssh user@localhost
This change will only be temporary as any time you update OpenSSH, the binary will be replaced.
Result
The process above will result in something like the following:
$ nc localhost 22 SSH-2.0-Here be dragons. Turn Back
Where before this would be along the lines of:
$ nc localhost 22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u2
Which makes the version you are running just a little bit more obscure and and also adds bit of fun.
References
(last checked 2018-01-06)
- https://www.openssh.com/
- https://sourceforge.net/projects/hexedit/
- https://man.openbsd.org/sshd_config.5
- https://scottlinux.com/2011/06/14/disable-debian-banner-suffix-on-ssh-server/
- http://resources.infosecinstitute.com/masscan-scan-internet-minutes/
- https://www.shodan.io/
- https://serverfault.com/questions/81690/how-to-hide-web-server-name-and-openssh-version-on-linux-when-scanning-server-po
- https://www.openssh.com/
- https://sourceforge.net/projects/hexedit/
- https://man.openbsd.org/sshd_config.5
- https://scottlinux.com/2011/06/14/disable-debian-banner-suffix-on-ssh-server/
- http://resources.infosecinstitute.com/masscan-scan-internet-minutes/
- https://www.shodan.io/
- https://serverfault.com/questions/81690/how-to-hide-web-server-name-and-openssh-version-on-linux-when-scanning-server-po
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word