Richard Moore wrote, on 2/11/2009 4:53 PM:
> I guess it does not matter, but to be PCIDSS compliant in 2010, it cannot
> show the build version, all it can show is SSH2 or SSH, and cannot be able
> to get the OS version with nmaps OS detection.
You have to edit the source to obscure the ssh version, IIRC. This is
by design from the OpenSSH team. If they thought that obscuring it
was good security practice, they'd probably make it a knob (unless
some distros come with a widgeted version? I suppose that's possible,
but I haven't encountered one).
Don't get me wrong. I think that a little obscurity can keep a lot of
the bots from hammering you 24x7 ... but it takes a truly
self-disciplined admin to not take misguided comfort in the fact that
their unpatched sshd has a suppressed version.
And for the nmap, there's some stuff that you can tweak in the kernel
(I'm thinking Solaris) or firewall configurations, depending on your
distro, to make you a little harder to peg ... but nmap is as good as
the fingerprint database. That arms race is going to make most
compliant boxes non-compliant pretty fast, so I'm not sure that I
really see the point. cbrown may chime in here at some point ...
In other words, if the PCI folks think that these things are going to
help, I'm switching to cash. :-) I just flipped through PCIDSS
version 1.2 and didn't see anything about nmap or SSH versioning, and
couldn't find a link to any drafts - where did you find the 2010 heads-up?
Are you in the payment card industry? (Are you at liberty to say?) :-)
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Feb 11 20:06:40 2009
This archive was generated by hypermail 2.1.8 : Wed Feb 11 2009 - 20:06:40 AKST