How to Hide SSH Version Banner in Ubuntu for Enhanced Security


2 views

When you perform a simple telnet to port 22 on an Ubuntu server, you'll see output like:

$ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4

This version information can be valuable to potential attackers, as it helps them identify vulnerabilities specific to your SSH implementation.

To prevent SSH from advertising its version, you'll need to modify the SSH daemon configuration file:

sudo nano /etc/ssh/sshd_config

Add or modify the following line:

DebianBanner no

For older versions (pre-OpenSSH 7.3), you might need to patch and recompile SSH. Here's an alternative approach:

For systems where you can't modify the SSH configuration, you can use iptables to alter the banner:

sudo iptables -t mangle -A PREROUTING -p tcp --dport 22 -j DROP

Or more precisely using string matching:

sudo iptables -A INPUT -p tcp --dport 22 -m string --string "SSH-2.0" --algo bm -j DROP

After making changes, restart SSH and test:

sudo service ssh restart
telnet localhost 22

The output should now show either a generic banner or nothing at all.

For maximum control, you can compile OpenSSH from source with custom modifications:

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz
tar -xzf openssh-9.5p1.tar.gz
cd openssh-9.5p1
./configure --with-xauth=/usr/bin/xauth --with-ssl-dir=/usr/local/ssl
make
sudo make install

Then modify the version string in the source code before compiling.

While hiding version information provides security through obscurity, it should complement other security measures:

  • Disable root login
  • Use key-based authentication
  • Implement fail2ban
  • Regularly update your SSH package

When your SSH server broadcasts its exact version information (like SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4), you're essentially handing potential attackers a roadmap to vulnerabilities. This version fingerprinting allows malicious actors to:

  • Search for known exploits targeting your specific OpenSSH version
  • Identify unpatched CVEs related to your distribution
  • Launch version-specific attacks while bypassing generic protections

The primary solution involves editing the SSH daemon configuration file. Here's the complete process for Ubuntu systems:

# Open the SSH config file with root privileges
sudo nano /etc/ssh/sshd_config

# Add or modify these lines:
DebianBanner no
VersionAddendum none

# Then restart the SSH service
sudo service ssh restart

For additional protection, consider these advanced methods:

# Compile a custom version of OpenSSH with modified version strings
./configure --with-version-addendum='' --with-custom-banner='SSH-2.0-SecureServer'
make
sudo make install

# Alternative: Use iptables to modify outgoing packets
sudo iptables -t mangle -A OUTPUT -p tcp --sport 22 -j DROP
sudo iptables -t mangle -A OUTPUT -p tcp --sport 22 -j CLASSIFY --set-class 1:1

After implementation, test your configuration:

# Method 1: Using telnet
telnet your.server.ip 22

# Method 2: Using netcat
nc your.server.ip 22

# Method 3: Using SSH client debugging
ssh -v user@your.server.ip

For comprehensive security, apply similar measures to other services:

  • MySQL: Set show_compatibility_56 = OFF in my.cnf
  • Cyrus: Modify /etc/imapd.conf with serverinfo: hide
  • Apache: Use ServerTokens Prod and ServerSignature Off