1

I have my Raspberry Pi accessible through SSH and I do not want it to reveal any information to port-scans such as below:

open port on my raspi revealing too much information

  1. How do port-scanners (I used Advanced Port scanner on Windows 10) get so much detailed information about the service and the OS (not just for SSH - I mean generally). Which part of the target OS reveals that info and how?
  2. How can I make it so that no information is revealed?
schroeder
  • 123,438
  • 55
  • 284
  • 319
Max
  • 45
  • 5

1 Answers1

3

How do port-scanners ... get so much detailed information about the service and the OS

Depends on the specific service. For SSH a simple TCP connection to the service is sufficient since the server will reply with this information, i.e.

 $ telnet some-openssh-server.example.com 22
 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1

Similar trivial are information to gain from HTTP since systems commonly announce these information. Of course servers might actually lie about their version and OS, in which case this lie will usually be accepted by the scanner.

How can I make it so that no information is revealed?

The best way is to prevent the scanning in the first way. This can be done by only accepting connections from specific IP addresses, by requiring some port knocking before the port gets opened or similar. One might also try to change the provided details in the server configuration. If this is possible and how it is done depends on the specific server software.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • For anyone else interested in the method described to answer my 1. question: It is refered to as Banner Grabbing (according to wikipedia) and it is a subdiscipline of [OS-Fingerprinting (german wikipedia article)](https://de.wikipedia.org/wiki/OS-Fingerprinting). [This](https://raspberrypi.stackexchange.com/questions/73681/raspberry-pi-custom-ssh-normal-login-message/73691#answer-73691) anwer describes how the banner can be edited. – Max Jan 03 '21 at 15:48
  • Other than appliying the methods you named to prevent scanning in the first place, wouldn't it make sense to simply erase the contents of `/etc/update-motd.d` in order to prevent any default banner from being generated, and thus, give hackers less info about my system? – Max Jan 03 '21 at 15:52
  • 1
    Why? It has to be able to negotiate which protocol to use - and that will reveal a lot about the version. As an attacker, I'd try to narrow it down based on protocol, and then simply throw all applicable attacks on it. Exact version may simplify things, but not hugely so. – vidarlo Jan 03 '21 at 16:33
  • Who has to be able to negotiate which protocol to use? I decide to use SSH when I connect to 222, noone else needs to know. Any negotiation (encryption etc) is done in the underlying SSH protocol infrastructure. An attacker would not know the fact that 222 is my SSH port. And removing the banner should keep them guessing about the protocol and the version (and any other info relevant for attackers) if they decide to port scan my entire machine. Am I right? – Max Jan 03 '21 at 17:40
  • 2
    @Max: *"... simply erase the contents of /etc/update-motd.d in order to prevent any default banner from being generated ..."* - motd.d is a banner __after__ login. What you see here with SSH is the __protocol__ version exchange __before__ authentication. This is part of the SSH protocol (see [RFC4253 section 4.2](https://tools.ietf.org/html/rfc4253#section-4.2)) while the banner after login (motd) is not. Again, the best way to prevent such detection is to prevent the scanning itself and not only the information leak. – Steffen Ullrich Jan 03 '21 at 18:13
  • 2
    *"Any negotiation (encryption etc) is done in the underlying SSH protocol infrastructure."* - as I said, this banner is actually part of the SSH protocol. – Steffen Ullrich Jan 03 '21 at 18:19
  • @Steffen, ahh, I see, thanks for clarifying that. From the syntax specified in the RFC it looks like everything except for the OS is part of `SSH-protoversion-softwareversion`. The OS information seems to be part of the `comment`, which makes it optional I assume? And this exchange before authentication is presumably implemented by the SSH server - in this case OpenSSH, correct? – Max Jan 03 '21 at 18:28
  • 1
    @Max: Yes, the comment is optional. It can also be changed on some systems by fiddling with `DebianBanner` and `VersionAddendum` in sshd config, see [documentation](https://manpages.debian.org/buster/openssh-server/sshd_config.5.en.html#DebianBanner). – Steffen Ullrich Jan 03 '21 at 18:34