| |||||
Hardening OpenBSD Internet Servers
|
|||||
| There is no point going to all this trouble of fingerprinting if the machine will blatantly announce to the world exactly what it is running! Sadly, many vendors ship current systems with these kind of banners and many admins do not turn them off. Just because there are other ways to figure out what OS is running (such as fingerprinting), does not mean we should just announce our OS and architecture to every schmuck who tries to connect. |
As security conscious as the authors of OpenBSD are, I'm surprised they do exactly this. Perhaps this is just a default setting on servers that are off by default and which the OpenBSD authors regard as inherently insecure. Both telnetd and ftpd announce the operating system and hostname before a login is completed. Telnetd also gives the architecture. Elsewhere, in the TCPD Wrappers section, an "h" was added to the command that starts telnet sessions to surpress this information. I haven't found an ftpd option to surpress this information. The best I've found is that the contents of /etc/ftpwelcome will be displayed before the ready message (which contains the hostname, OS and server release information).
Instead of announcing to the world what the OS is, the login banner should tell unauthorized users to stay away. According to Creating Login Banners if you want to use system logs in a U.S. court of law against an intruder, your system needs a notice that system activity is logged. This specifically applies to government computers. I'm not sure if there is such a requirement for privately owned computers but it can't hurt to have an explicit warning. My current login banner reads:
Unauthorized access prohibited; all access and activities
not explicitly authorized by George Shaffer are unauthorized.
All activities are monitored and logged. There is no privacy
on this system. Unauthorized access and activities or any
criminal activity will be reported to appropriate authorities.
No information that identifies the system being connected to is provided. This custom banner has been placed in both /etc/ftpwelcome and /etc/motd.
I see no more point in displaying the operating system and architecture information after a login is completed than before. sshd, telnetd and ftpd display /etc/motd after a successful login. To assure that the custom banner continues to appear and that the OS and platform information does not, the following lines from /etc/rc need to be removed or commented out:
# patch /etc/motd
if [ ! -f /etc/motd ]; then
install -c -o root -g wheel -m 664 /dev/null /etc/motd
fi
T=`mktemp /tmp/_motd.XXXXXXXXXX`
if [ $? -eq 0 ]; then
sysctl -n kern.version | sed 1q > $T
echo "" >> $T
sed '1,/^$/d' < /etc/motd >> $T
cmp -s $T /etc/motd || cp $T /etc/motd
rm -f $T
fi
The lines above are the ones that put "OpenBSD", the version, the kernel name and when it was compiled at the top of the /etc/motd. The above lines don't display this information but rather restore this information to the /etc/motd file if a system administrator has taken it out. They also update this information if a custom kernel is built.
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.