search

apache / mina-sshd

Apache MINA sshd is a comprehensive Java library for client- and server-side SSH.
https://mina.apache.org/sshd-project/
Apache License 2.0
847 stars 353 forks source link

Nmap can scan the version number of Apache mina sshd. Attackers may obtain the version number and find the corresponding vulnerability to attack the system. #520

Closed zhyde2010 closed 5 days ago

zhyde2010 commented 1 week ago

Version

2.10.0

Bug description

Nmap can scan the version number of Apache mina sshd. Attackers may obtain the version number and find the corresponding vulnerability to attack the system.

Actual behavior

Nmap can scan the version number of Apache mina sshd. Attackers may obtain the version number and find the corresponding vulnerability to attack the system.

Expected behavior

We hope that open source software will give us a way to hide version information.

Relevant log output

For details about the problem symptom and code segment, see the Other information sections.We want to modify it, but we don't have a public method to modify it.

1、org/apache/sshd/common/session/helpers/SessionHelper.java :  
protected String resolveIdentificationString(String configPropName) {
        FactoryManager manager = getFactoryManager();
        String ident = manager.getString(configPropName);
        return SessionContext.DEFAULT_SSH_VERSION_PREFIX + (GenericUtils.isEmpty(ident) ? manager.getVersion() : ident);
    }
protected ,we can not change it。

2、org/apache/sshd/client/session/AbstractClientSession.java:
    protected IoWriteFuture sendClientIdentification() throws Exception {
        clientVersion = resolveIdentificationString(CoreModuleProperties.CLIENT_IDENTIFICATION.getName());
        // Note: we intentionally use an unmodifiable list in order to enforce the fact that client cannot send header lines
        signalSendIdentification(clientVersion, Collections.emptyList());
        return sendIdentification(clientVersion, Collections.emptyList());
    }
The clientVersion  is protected。

Other information

Thank U!

tomaswolf commented 5 days ago

Set the property CoreModuleProperties.CLIENT_IDENTIFICATION (or CoreModuleProperties.SERVER_IDENTIFICATIONfor a server) to whatever identification you want to use. (Set it on the SshClient or SshServer.) Note that the value should a valid identification string, without the "SSH-2.0-" prefix.

Besides, even if methods are protected, you can still override them. Subclass ClientSessionImpl or ServerSessionImpl and override the method. Then create SessionFactory that creates instances of your subclass, and set that factory on the SshClient or SshServer.

But for the identification string, just setting the property is sufficient and simpler.