cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4871
Views
5
Helpful
3
Replies

How to disable ssh server version name and number?

faizzaidi
Level 1
Level 1

Hello,

I am performing a switch hardening process. One of our clients has an issue with Cisco 6500 switch.

While performing a Nmap scan on our network. We get the following information as a result. 

 

cisco.png

 

I would like to know this possible I can hide or remove or disable the Version information from the switch i.e Cisco SSH 1.25(protocol 2.0).

 

Thanks

1 Accepted Solution

Accepted Solutions

My suggestion was hypothetical. The IOS code is propriety, you would not be able to compile and re-bundle it.

 

You will have to live with the fact that IOS will leak information about the versions of some of its services. The best you can do is to run the latest IOS version which mitigates the current set of vulnerabilities which may affect those services.

 

cheers,

Seb.

View solution in original post

3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

This information is given up as part of normal ssh client operation. Run your SSH client with the verbose flag and you will see the information which is exchanged before authentication takes place:

srupik@debian:~$ ssh -l srupik -v x.x.x.x
OpenSSH_7.4p1 Debian-10+deb9u3, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /etc/ssh/ssh_config
...
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
...
password: 

...in short, you cannot stop this information from being revealed... unless perhaps you re-compiled the ssh client binaries which are running in the IOS firmware...!

 

You mat also like to read:

https://nmap.org/book/vscan.html

 

cheers,

Seb.

Thank you so much for the response. I have some question regarding your suggestion.


How can I re-compiled the ssh client binaries of IOS firmware.?
Could you please provide any guides for that? Or any CISCO custom binaries are available for the issue.

Please share it.

 

Thanks

My suggestion was hypothetical. The IOS code is propriety, you would not be able to compile and re-bundle it.

 

You will have to live with the fact that IOS will leak information about the versions of some of its services. The best you can do is to run the latest IOS version which mitigates the current set of vulnerabilities which may affect those services.

 

cheers,

Seb.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: