topic Re: How to disable ssh server version name and number? in Network Security

How to disable ssh server version name and number?

faizzaidi — Fri, 21 Feb 2020 15:33:53 GMT

Hello,

I am performing a switch hardening process. One of our clients has an issue with Cisco 6500 switch.

While performing a Nmap scan on our network. We get the following information as a result.

I would like to know this possible I can hide or remove or disable the Version information from the switch i.e Cisco SSH 1.25(protocol 2.0).

Thanks

Re: How to disable ssh server version name and number?

Seb Rupik — Tue, 27 Mar 2018 10:33:39 GMT

Hi there,

This information is given up as part of normal ssh client operation. Run your SSH client with the verbose flag and you will see the information which is exchanged before authentication takes place:

srupik@debian:~$ ssh -l srupik -v x.x.x.x
OpenSSH_7.4p1 Debian-10+deb9u3, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /etc/ssh/ssh_config
...
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
...
password:

...in short, you cannot stop this information from being revealed... unless perhaps you re-compiled the ssh client binaries which are running in the IOS firmware...!

You mat also like to read:

https://nmap.org/book/vscan.html

cheers,

Seb.

Re: How to disable ssh server version name and number?

faizzaidi — Tue, 27 Mar 2018 12:31:07 GMT

Thank you so much for the response. I have some question regarding your suggestion.

How can I re-compiled the ssh client binaries of IOS firmware.?
Could you please provide any guides for that? Or any CISCO custom binaries are available for the issue.

Please share it.

Thanks

Re: How to disable ssh server version name and number?

Seb Rupik — Wed, 28 Mar 2018 09:14:50 GMT

My suggestion was hypothetical. The IOS code is propriety, you would not be able to compile and re-bundle it.

You will have to live with the fact that IOS will leak information about the versions of some of its services. The best you can do is to run the latest IOS version which mitigates the current set of vulnerabilities which may affect those services.

cheers,

Seb.