• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Removing Version Information From Services

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
hugo
Forum Fanatic
Forum Fanatic


Joined: 14 Jun 2003
Posts: 16777215
Location: Netherlands, Europe

Offline

PostPosted: Sun Oct 05, 2003 3:05 pm    Post subject: Removing Version Information From Services Reply with quote

Removing Version Information From Services

Displaying service version information might look cool, but it is definately not a good idea. There are numerous malicious folks out there that will use this version information to search for the proper exploits to gain access to your machine.

Retrieving version information for a running service is very simple. A simple telnet to the service will do the trick. Try it out on your local SMTP server. Wait for a zero-day exploit for that specific service and *bang* you own it.... or you are owned.

Without the service version information, the bad guy can only guess, and will have to try multiple times, possibly revealing himself. This, in a way, will buy time and prevent certain bad things from happening, but it doesn't say you no longer require to update the services when they are vulnerable.

This document describe the modifications which need to be made to remove version information from services like OpenSSH, sendmail, etc. Some of these require simple modifications to a configuration-file, while others need to have some source-code modified.

It will focus on the following services:

* OpenSSH (ssh)
* Sendmail (smtp)
* UW ipopd imapd (pop2, pop3 and imap)
* Apache 1.3 (http/https)
* Apache 2.0 (http/https)
* PHP4
* mod_ssl (https)
* Bahamut IRCd

Possibly more will be added. If you feel something is missing or you have any other useful additions to this document, just drop me a line.

OpenSSH
Modifying the version of this open source SSH implementation has become quite simple. Within the source-tree of OpenSSH locate the following file:
Code:

openssh-3.x/version.h


This will say something like this:
Code:

#define SSH_VERSION      "OpenSSH_3.x"

This value be changed into anything of your liking:
Code:

#define SSH_VERSION      "SSH_x.x"

Recompile and reinstall the binaries, making proper precautions not to lock yourself out if logged through the service you want to upgrade. Telnet to the port 22 to check out your brand new banner.


Sendmail
Sendmail doesn't require no modifications to source-code whatsoever. A facility for modifying the banner is present in the configuration-file (sendmail.cf).

Open the file /etc/mail/sendmail.cf (or another location, depending on your distribution or how you installed it). There is a good chance the option is already in there, but commented out:
Code:

#O SmtpGreetingMessage=$j Sendmail 9.x.x / 8.x.x; $b

The $j will be repaced by the status-code and server identification (i.e. ``220 smtp.domain.com ESMTP''). Some mail-clients require this; a server-error might occur otherwise. The $b will be replace by the built-date. You could change this to:
Code:

O SmtpGreetingMessage=$j Mailserver; Thu, 1 Jan 1970 01:00:00

Restart the sendmail daemons and you are ready to go. Telnet to port 25 to see your new banner.


UW ipopd / imapd
These are part of PINE, and deliver POP2, POP3 and IMAP services. To strip version information from these, the source-code needs to be modified. Within the PINE source-tree locate the following files:
Code:

pine4.xx/imap/ipopd/ipop2d.c
pine4.xx/imap/ipopd/ipop3d.c
pine4.xx/imap/imapd/imapd.c

Modifying these is quite straight-forward. In all these files there is a line which says:
Code:

char *version = "2003.xx";

This can be changed into anything you want:
Code:

char *version = "a.b";

Recompile and install the binaries into their required location and you are ready to go. Note that these services could be in use, so the operating system might refuse to overwrite them. Kill the services and retry.


Apache 1.3
For Apache 1.3.x you need to locate the following file within the Apache source-tree:
Code:

apache-1.3.x/src/include/httpd.h

In that file, locate the lines that say something like this:
Code:

#define SERVER_BASEPRODUCT    "Apache"
#define SERVER_BASEREVISION   "1.3.29"

This can be changed into anything you want:
Code:

#define AP_SERVER_BASEPRODUCT "Webserver"
#define SERVER_BASEREVISION   "a.b.c"

Recompile the server and install the binaries.

Note that, for different modules that add version information (like PHP and mod_perl) you have to modify those as well. Look below for how to remove it from PHP4.


Apache 2.0
For Apache 2.0.x you need to locate the following file within the Apache source-tree:
Code:

httpd-2.0.x/httpd/include/ap_release.h

In that file, locate the lines that say:
Code:

#define AP_SERVER_BASEPRODUCT    "Apache"
#define AP_SERVER_MAJORVERSION   "2"
#define AP_SERVER_MINORVERSION   "0"
#define AP_SERVER_PATCHLEVEL     "47"

Modify these into anything you want.
Code:

#define AP_SERVER_BASEPRODUCT    "Webserver"
#define AP_SERVER_MAJORVERSION   "a"
#define AP_SERVER_MINORVERSION   "b"
#define AP_SERVER_PATCHLEVEL     "c"

Recompile the server and install the binaries. Telnet to port 80 to do a simple GET / request to see your brand new service banner.


PHP4
Changing the version information for PHP4 requires modifications to source-code as well. If you have not yet compiled it, skip some paragraphs.

If you have already configured and compiled it, locate the following file:
Code:

php-4.x.x/main/php_version.h


Locate the line:
Code:

#define PHP_MAJOR_VERSION 4
#define PHP_MINOR_VERSION 3
#define PHP_RELEASE_VERSION 5
#define PHP_EXTRA_VERSION ""
#define PHP_VERSION "4.3.5"


The MAJOR, MINOR and RELEASE are numbers. Too bad. Modify it to something like this:
Code:

#define PHP_MAJOR_VERSION 4
#define PHP_MINOR_VERSION 0
#define PHP_RELEASE_VERSION 0
#define PHP_EXTRA_VERSION ""
#define PHP_VERSION "4.X.X"


Remove the following files:
Code:

main/main.o
main/main.lo
sapi/sapi_apache.lo
sapi/sapi_apache.o
sapi/php_apache.lo
sapi/php_apache.o
sapi/mod_php4.lo
libs/libphp4.so
libs/libphp4.a
libphp4.a


Do a make install-sapi. This will re-compile the necessary stuff and install it.

If you have not yet compiled PHP4, within the PHP4 source-tree locate the following file:
Code:

php-4.x.x/configure.in


Locate the following lines:
Code:

MAJOR_VERSION=4
MINOR_VERSION=2
RELEASE_VERSION=5
EXTRA_VERSION="RC1"
VERSION="$MAJOR_VERSION.$MINOR_VERSION.$RELEASE_VERSION$EXTRA_VERSION"


The problem here is the versions are numbers, not strings. Only the VERSION string is. It could however be changed to something like this:
Code:

MAJOR_VERSION=4
MINOR_VERSION=0
RELEASE_VERSION=0
EXTRA_VERSION=""
VERSION="4.X.X"


Compile and install as regular and your new banner will be in effect.

mod_ssl
Just like PHP4, mod_ssl also adds some version information to the Webserver banner.

Also, if you have version-patched Apache, the configure script that came with mod_ssl will fail, because the version-check fails. It will output an error like 'This was meant for Apache 1.3.29, but you have got Apache a.b.c.".

To fix this, open the `configure' script and search for APV a couple of times. When you see the 'This was meant for Apache 1.3.29' error, you are there. Just above the ``if'' insert the following line:
Code:

APV="1.3.29"

This will fool mod_ssl into thinking it's ok, and apply the patches.

OK, on to removing version information from mod_ssl. After applying the patches to the Apache source-tree, locate the following file:
Code:

apache-1.3.x/src/modules/ssl/Makefile

Look for these lines:
Code:

SSL_VERSION=-DMOD_SSL_VERSION=\"2.8.15\"

Modify them to something like this:
Code:

SSL_VERSION=-DMOD_SSL_VERSION=\"2.x.x\" -DSSL_PRODUCT_NAME=\"SSL\" -DSSL_PRODUCT_VERSION=\"a.b.c\"

Then, locate this file:
Code:

apache-1.3.x/src/modules/ssl/ssl_util_ssl.h

Locate these lines:
Code:

#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_NAME    "OpenSSL"
#define SSL_LIBRARY_TEXT     OPENSSL_VERSION_NUMBER

Change them into something like this:
Code:

#define SSL_LIBRARY_NAME    "SSL"
#define SSL_LIBRARY_TEXT    "SSL/x.x.x"

Do a make all in the src/modules/ssl directory to compile only mod_ssl. Install the binaries by copying libssl.so into your ${APACHEROOT}/libexec directory.

Then, restart your webserver for the new banner to take effect. Check 'm out with a simple GET / request..


Bahamut IRCd
To remove the version information from the Bahamut IRC daemon, within the source-tree, locate the following file:
Code:

src/s_user.c

Locate the line that uses the RPL_YOURHOST define in the sendto_one( )-call (somewhere around line 855/860).

The RPL_YOURHOST is a define defining a formatting string that says something like "Hi there, <user>. This machine is running <irc version.".

To prevent the real version from poping up replace the line
Code:

sendto_one(sptr, rpl_str(RPL_YOURHOST), me.name, nick, get_client_name(&me, TRUE), version );

..into something like this:
Code:

sendto_one(sptr, rpl_str(RPL_YOURHOST), me.name, nick, get_client_name(&me, TRUE), "ircd-1.X" );



Edit
2004-04-27; Updated stuff for Apache 1.3.29 / PHP 4.3.5, and removed some typo's.
2003-11-16; Added the Bahamut IRC daemon hack.
2003-10-05; Added a *working* PHP4 hack.
2003-10-05; Added mod_ssl hack.


Last edited by hugo on Tue Apr 27, 2004 11:59 am; edited 3 times in total
Back to top
View user's profile Send private message
Dunceor
Just Arrived
Just Arrived


Joined: 05 Sep 2003
Posts: 4
Location: Sweden

Offline

PostPosted: Sun Oct 05, 2003 6:51 pm    Post subject: Reply with quote

Well it's always good to do more stuff so crackers get it tougher to get into your system but some people think that it's enough just to change the banner of the program and they are safe. dont go down that line..
Security by obscurity is a bad thing.

Otherwise a good text....

/me goes and change some banners...
Back to top
View user's profile Send private message Visit poster's website
Weaver
Trusted SF Member
Trusted SF Member


Joined: 04 Jan 2003
Posts: 0
Location: WI, USA

Offline

PostPosted: Wed Oct 08, 2003 11:31 pm    Post subject: Reply with quote

I noticed you didn't have one for qmail...

Props to DJB for a great MTA.

-Weaver
Back to top
View user's profile Send private message
fsb
Just Arrived
Just Arrived


Joined: 08 May 2003
Posts: 0


Offline

PostPosted: Thu Oct 09, 2003 1:39 am    Post subject: Reply with quote

I wish I had read that when removing the banners from my server a few months ago. It would have saved hours of cursing. Thanks all the same Hugo, I knew there was a reason you had root on my box.
Back to top
View user's profile Send private message
z0ulsh1ne
Just Arrived
Just Arrived


Joined: 03 Jul 2003
Posts: 0


Offline

PostPosted: Tue Oct 28, 2003 12:12 am    Post subject: Reply with quote

Hi there,
I have tried changing the banner of my proftpd with:
ServerIdent on "Welcome home"
or
ServerIdent off
in my /etc/proftpd.conf - works both fine.
When i connect it shows no more proftp information.
But nmaping still says:
21/tcp open ftp ProFTPD 1.2.8
I know nmap does more tests on a server than just looking at the banner, but how could I hide my version from nmap?

nice day
z0ulsh1ne

ps: wow what a board, reading reading reading learning Very Happy
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Tue Oct 28, 2003 5:18 pm    Post subject: Reply with quote

Good read hugo! Thanks! Smile

There's another way to modify Apache banner's w/o editing source code. Some of you may be uncomfortable editing source code, or don't have the time or window of opportunity to recompile. In this case you could use the ServerTokens directive in httpd.conf. While this method is very useful it is not as good as hugo's. Using ServerTokens at its "highest" setting will still show the server type during a banner grab (Apache). This may be acceptable since it also removes any mod banners as well. Still, for full obscurity, you may want to use hugo's suggestion (combined with ServerTokens maybe?)
Quote:

ServerTokens directive
Syntax: ServerTokens Minimal|ProductOnly|OS|Full
Default: ServerTokens Full
Context: server config
Status: core
Compatibility: ServerTokens is only available in Apache 1.3 and later; the ProductOnly keyword is only available in versions later than 1.3.12
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

http://httpd.apache.org/docs/mod/core.html#servertokens
Back to top
View user's profile Send private message Visit poster's website
vlad902
Just Arrived
Just Arrived


Joined: 04 Jan 2003
Posts: 0


Offline

PostPosted: Tue Oct 28, 2003 8:03 pm    Post subject: Reply with quote

FYI for postfix in main.cf it has a line like:

$smptd_banner = $mydomain ESMTP $mailversion

(or something like that). So I'd just change it to:

$smptd_banner = $mydomain SMTP Sendmail 1.7.4 (Windows 98^H^H2000) Laughing Laughing
Back to top
View user's profile Send private message
uslacker99
Just Arrived
Just Arrived


Joined: 30 Sep 2004
Posts: 0


Offline

PostPosted: Thu Sep 30, 2004 8:56 am    Post subject: sendmail version --> greeting may not be enough Reply with quote

If you're really paranoid, you will want to:
cat //[b][/b]dev[b][/b]/null /etc/mail/sendmail.hf
or to whatever file your helpfile is set to in /etc/mail/sendmail.cf.

That way, when someone connects to your server and types help, he doesn't see your version.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter