1

I have my Raspberry Pi accessible through SSH and I do not want it to reveal any information to port-scans such as below:

open port on my raspi revealing too much information

  1. How do port-scanners (I used Advanced Port scanner on Windows 10) get so much detailed information about the service and the OS (not just for SSH - I mean generally). Which part of the target OS reveals that info and how?
  2. How can I make it so that no information is revealed?
Improve this question
0

1 Answer 1

Reset to default
3

How do port-scanners ... get so much detailed information about the service and the OS

Depends on the specific service. For SSH a simple TCP connection to the service is sufficient since the server will reply with this information, i.e.

 $ telnet some-openssh-server.example.com 22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1

Similar trivial are information to gain from HTTP since systems commonly announce these information. Of course servers might actually lie about their version and OS, in which case this lie will usually be accepted by the scanner.

How can I make it so that no information is revealed?

The best way is to prevent the scanning in the first way. This can be done by only accepting connections from specific IP addresses, by requiring some port knocking before the port gets opened or similar. One might also try to change the provided details in the server configuration. If this is possible and how it is done depends on the specific server software.

Improve this answer
8
  • For anyone else interested in the method described to answer my 1. question: It is refered to as Banner Grabbing (according to wikipedia) and it is a subdiscipline of OS-Fingerprinting (german wikipedia article). This anwer describes how the banner can be edited. Commented Jan 3, 2021 at 15:48
  • 1
    Why? It has to be able to negotiate which protocol to use - and that will reveal a lot about the version. As an attacker, I'd try to narrow it down based on protocol, and then simply throw all applicable attacks on it. Exact version may simplify things, but not hugely so. Commented Jan 3, 2021 at 16:33
  • 2
    @Max: "... simply erase the contents of /etc/update-motd.d in order to prevent any default banner from being generated ..." - motd.d is a banner after login. What you see here with SSH is the protocol version exchange before authentication. This is part of the SSH protocol (see RFC4253 section 4.2) while the banner after login (motd) is not. Again, the best way to prevent such detection is to prevent the scanning itself and not only the information leak. Commented Jan 3, 2021 at 18:13
  • 2
    "Any negotiation (encryption etc) is done in the underlying SSH protocol infrastructure." - as I said, this banner is actually part of the SSH protocol. Commented Jan 3, 2021 at 18:19
  • 1
    @Max: Yes, the comment is optional. It can also be changed on some systems by fiddling with DebianBanner and VersionAddendum in sshd config, see documentation. Commented Jan 3, 2021 at 18:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.