DebianBanner no

linux ssh security

DebianBannerとは、Debian系ディストリのSSHD設定オプション。初めて知りましたが、SSHの接続時にOSの情報が漏れている見たいですね。積極的に漏らす必要は無いので、しっかり消しましょう。ApacheでいうServerTokens的な感じですかね。

man sshd_config にDebianBannerの説明がある。

DebianBanner no

DebianBanner
Specifies whether the distribution-specified extra version suffix is included during initial
protocol handshake. The default is “yes”.

DebianBanner yesの場合

[~@xxxuser]ssh xxxx.jp -v
OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
debug1: Reading configuration data /Users/xxxuser/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to xxxx.jp [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /Users/xxxuser/.ssh/id_rsa type -1
debug1: identity file /Users/xxxuser/.ssh/id_rsa-cert type -1
debug1: identity file /Users/xxxuser/.ssh/id_dsa type 2
debug1: identity file /Users/xxxuser/.ssh/id_dsa-cert type -1
#################### 注目 ####################
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
#################### 注目 ####################
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received

DebianBanner noの場合

[~@xxxuser]ssh xxxx.jp -v
OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
debug1: Reading configuration data /Users/xxxuser/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to xxxx.jp [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /Users/xxxuser/.ssh/id_rsa type -1
debug1: identity file /Users/xxxuser/.ssh/id_rsa-cert type -1
debug1: identity file /Users/xxxuser/.ssh/id_dsa type 2
debug1: identity file /Users/xxxuser/.ssh/id_dsa-cert type -1
#################### 注目 ####################
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1
debug1: match: OpenSSH_5.9p1 pat OpenSSH*
#################### 注目 ####################
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received

OS名が表示されなくなったことが分かります。