| |||||
Hardening OpenBSD Internet Servers
|
|||||
| There is no point going to all this trouble of fingerprinting if the machine will blatantly announce to the world exactly what it is running! Sadly, many vendors ship current systems with these kind of banners and many admins do not turn them off. Just because there are other ways to figure out what OS is running (such as fingerprinting), does not mean we should just announce our OS and architecture to every schmuck who tries to connect. |
As security conscious as the authors of OpenBSD are, I'm surprised they do exactly this. Perhaps this is just a default setting on servers that are off by default and which the OpenBSD authors regard as inherently insecure. Both telnetd and ftpd announce the operating system and hostname before a login is completed. Telnetd also gives the architecture. Elsewhere, in the TCPD Wrappers section, an "h" was added to the command that starts telnet sessions to surpress this information. I haven't found an ftpd option to surpress this information. The best I've found is that the contents of /etc/ftpwelcome will be displayed before the ready message (which contains the hostname, OS and server release information).
Instead of announcing to the world what the OS is, the login banner should tell unauthorized users to stay away. According to Creating Login Banners if you want to use system logs in a U.S. court of law against an intruder, your system needs a notice that system activity is logged. This specifically applies to government computers. I'm not sure if there is such a requirement for privately owned computers but it can't hurt to have an explicit warning. My current login banner reads:
Unauthorized access prohibited; all access and activities
not explicitly authorized by George Shaffer are unauthorized.
All activities are monitored and logged. There is no privacy
on this system. Unauthorized access and activities or any
criminal activity will be reported to appropriate authorities.
No information that identifies the system being connected to is provided. This custom banner has been placed in both /etc/ftpwelcome and /etc/motd.
I see no more point in displaying the operating system and architecture information after a login is completed than before. sshd, telnetd and ftpd display /etc/motd after a successful login. To assure that the custom banner continues to appear and that the OS and platform information does not, the following lines from /etc/rc need to be removed or commented out:
# patch /etc/motd
if [ ! -f /etc/motd ]; then
install -c -o root -g wheel -m 664 /dev/null /etc/motd
fi
T=`mktemp /tmp/_motd.XXXXXXXXXX`
if [ $? -eq 0 ]; then
sysctl -n kern.version | sed 1q > $T
echo "" >> $T
sed '1,/^$/d' < /etc/motd >> $T
cmp -s $T /etc/motd || cp $T /etc/motd
rm -f $T
fi
The lines above are the ones that put "OpenBSD", the version, the kernel name and when it was compiled at the top of the /etc/motd. The above lines don't display this information but rather restore this information to the /etc/motd file if a system administrator has taken it out. They also update this information if a custom kernel is built.
Copyright © 2000 - 2006 by George Shaffer.
This material may be distributed only subject to the
terms and conditions set forth on
http://GeodSoft.com/terms.htm.
These terms are subject to change. Distribution is subject to the then
current terms, or at the choice of the distributor, those defined in a
verifiably dated printout or electronic copy of
http://GeodSoft.com/terms.htm at the time of the distribution.
Distribution of substantively modified versions of GeodSoft content is
prohibited without the explicit permission of George Shaffer.
Distribution of the work or derivatives of the work, in whole or in part,
for commercial purposes is prohibited unless prior permission is
obtained from George Shaffer. Distribution in accordance with these
terms, for private, unrestricted and uncompensated public access, non
profit, or internal company use is allowed.