I just been audited and one the recommendations is to hide the SSH version or give fake information.
I went to openssh.com they don't seem to have any info on how to fix this 
Anybody knows how the heck can I hide the SSH version? The part which says [OpenSSH_4.7]
[root]# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.7
Download OpenSSH in source and make it without information about version. Look at config files into the source.
I installed it as a 'package' downloaded from sunfreeware.com
is there any way I can avoid having to uninstall it and recompile everything again?
Is not just 1 box, it's abt 40+ boxes (potentially 1 weekend will be burnt & gone cased if I have to re-install everything)
Hi,
One trick you could do, but really risky and may render your sshd 'unstable', is to use an hexeditor and look for the pattern then apply the change ...
But, if its for security reason, people tend to think such modification is futile and will give you no more safety since most "proggies" will always try to test your installation 
...
Assuming we are dealing with a Solaris system.
Even if you would manage to hide the information.
Do they want you to disable e.g. the "what", "pkginfo" and "od" command as well?
Change access rights to the full /var/sadm tree?
Manipulate the size of the ssh executable?
Someone who is smart enough to become a security risk just by knowing which version you run, is an equally big risk with any of the information provided by the commands or files above.
Who ever did the audit. Tell them to stop quoting what they read somewhere without knowing what it is about, and to pay you back whatever they charged you for the audit.
I agree with this.
They want you to hide the version of ssh, but no issue with running telnet.
Well I too agree with what you say as true but my bottom line is I have to pass this audit and my boss is anxious to pass the audit and so is the management, regardless of where they read up the info from internet, weather they are amatuer script kiddies or not THEY ARE THE AUDITORS and I have to comply.
Out of curiosity, did they tell you why you need to do this?
In my experience with audits (which is 2 audits in all my years doing this), when something has been recommended, the onus has been put on the auditors to tell us why it is needed, how can we accomplish it, and what guarantee they can give us that it will not break anything in our system.
Anyway, for easy fixes that don't require recompiling or messing around with the sshd binary, you could:
A general comment: this is one of those things that I cannot understand about these "security experts". They want SAs to mess around with ssh, but they don't mind that telnet is running. If I'm a hacker, and I'm already inside your network, why would I want to mess around with the encrypted stuff when I have clear text flowing through the wire?
Isn't it obvious? One of the matrix movies had a character using an ssh exploit to hack some power station. Suddenly ssh is the prime target for all auditors 
Yay.
But seriously, most audits should result in either complience or a reason why not to. I'd say system stability when compared to the releivly low increase in risk by displaying that information is a pretty good reason.
yeah I intend to change the port to something else, let those "experts" sniff it out and when they do I'll change it again. Blocking telnet to port 22 won't help much, those guys are using netcat tools.
anyway thanx for the suggestions.
Some of the exploits out there are targeting specific versions of ssh. This is why I think it is important to hide services' version.
ok...
there aren't that many versions of ssh out there. So there are some exploits that work on some and not on others...
ok...
Question 1: if you have an ssh version that is vulnerable to a particular exploit, how do you make it more secure?
a) hide the name
b) patch/upgrade ssh to remove the vulnerability
Question 2 : If I'm a hacker, and I see a) renamed version - my exploit for that version is not working- or b) a name that makes no sense, what's the first thing that comes into my mind? "Hey, they have a vulnerability they are trying to hide but haven't patched yet!!"
Question 3: wouldn't it make more sense to either stop telnet or deny telnet to the ssh port, rather than advertise to everyone that you have a vulnerability that you have not addressed properly by attempting to disguise it?
Question 4: again, if I'm a hacker, and I'm in your network, if I know telnet is enabled, why would I want to mess with the encrypted stuff when you are sending plain ascii packets across the network?
To answer question 3) en 4).
Someone from the outside is using telnet, and clearly you can't disable telnet on his/her machine.
Furthermore, initially SSH will see no difference between a real ssh connecting or a telnet session on port 22.
To come up with the most simple answer.
If according to the auditors the SSH version should be made hidden, why they dont tell you how to do it if they consider it possible?
That's just lame.
And?
The point I was trying to make is that there is no benefit security-wise of hiding your ssh version if you are going to allow telnet to be enabled.
I'm just going to shut up and move along as I am not offering anything else of value to the original poster.
Ok, I won't guarantee that this will work for you. But here is a way to change a string in an executable. You will need the gnu strings command. It is available in the binutils package at sunfreeware. So I need a binary to fiddle with....
$ cp /usr/bin/ftp .
$ ./ftp
ftp> help
Commands may be abbreviated. Commands are:
! cd edit help mdir newer prompt reset size user
$ cdup epsv4 idle mget nlist proxy restart status verbose
account chmod exit image mkdir nmap put rhelp struct ?
append close form lcd mls ntrans pwd rmdir sunique
ascii cr ftp less mode open quit rstatus system
bell debug get lpwd modtime page quote runique tenex
binary delete gate ls more passive recv send trace
bye dir glob macdef mput preserve reget sendport type
case disconnect hash mdelete msend progress rename site umask
ftp> bye
$
Ok, Let's say that my auditors are demanding that I render the word abbreviated in all caps. This means that my replacement text has the exact same number of characters as my original text. That is important. I can change the text easily but changing the size is harder. I need to locate the string and that is why I am using the GNU strings program.
$ strings -t d -a -n 7 ftp | grep abbreviated
290112 %sommands may be abbreviated. Commands are:
$
There is my string but I need to code up a dd command that isolates it. It looks about 15 characters long starting a little bit after 290112. So I try...
$ dd if=./ftp bs=1 skip=290130 count=15 | od -A n -c
15+0 records in
15+0 records out
15 bytes transferred in 1 secs (15 bytes/sec)
b b r e v i a t e d . C o
This got me close. But I need it exact...
$ dd if=./ftp bs=1 skip=290129 count=11 | od -A n -c
11+0 records in
11+0 records out
11 bytes transferred in 1 secs (11 bytes/sec)
a b b r e v i a t e d
$
OK, that got it. What I really want to do is crack my ftp executable up into 3 pieces: the stuff before my string, my string, and the stuff after my string. This will take 3 dd statements and now I know how to code them...
$ dd if=./ftp bs=1 count=290129 of=ftp.1
290129+0 records in
290129+0 records out
290129 bytes transferred in 2 secs (145064 bytes/sec)
$ dd if=./ftp bs=1 skip=290129 count=12 of=ftp.2
12+0 records in
12+0 records out
12 bytes transferred in 1 secs (12 bytes/sec)
$ dd if=ftp bs=1 skip=290141 count=999999999 of=ftp.3
38563+0 records in
38563+0 records out
38563 bytes transferred in 1 secs (38563 bytes/sec)
Now I want to be sure that the middle piece is the string I am expecting and then I want to change the string...
$ od -A n -c ftp.2
a b b r e v i a t e d .
$ print -n ABBREVIATED. > ftp.2
$ od -A n -c ftp.2
A B B R E V I A T E D .
$
Now I can reassemble the the pieces into a new binary and try it out...
$ cat ftp.* > ftp2
$ chmod u+x ftp2
$ ./ftp2
ftp> help
Commands may be ABBREVIATED. Commands are:
! cd edit help mdir newer prompt reset size user
$ cdup epsv4 idle mget nlist proxy restart status verbose
account chmod exit image mkdir nmap put rhelp struct ?
append close form lcd mls ntrans pwd rmdir sunique
ascii cr ftp less mode open quit rstatus system
bell debug get lpwd modtime page quote runique tenex
binary delete gate ls more passive recv send trace
bye dir glob macdef mput preserve reget sendport type
case disconnect hash mdelete msend progress rename site umask
ftp> bye
$ ./ftp
ftp> help
Commands may be abbreviated. Commands are:
! cd edit help mdir newer prompt reset size user
$ cdup epsv4 idle mget nlist proxy restart status verbose
account chmod exit image mkdir nmap put rhelp struct ?
append close form lcd mls ntrans pwd rmdir sunique
ascii cr ftp less mode open quit rstatus system
bell debug get lpwd modtime page quote runique tenex
binary delete gate ls more passive recv send trace
bye dir glob macdef mput preserve reget sendport type
case disconnect hash mdelete msend progress rename site umask
ftp> bye
$
That is pretty much it. But you need to get the arithmetic right or it won't work.
WOW excellent job Perderabo,
I must say your "fly by wire" method is radical. Let me try this. If it works i'll paste the results.
thanx again
It works. Put it here just it case anybody ever needs this.
[root]# cd /tmp
[root]# cp /usr/lib/ssh/sshd .
[root]# ksh -o vi (I like korn)
[root]# strings -t d -a -n 7 sshd | grep Sun
989376 Sun_SSH_1.1
989472 Sun_SSH_1.1
989532 Sun_SSH_1.1
993040 Sun_SSH_1.0.*
993056 Sun_SSH_1.0*
999159 @(#)SunOS 5.9 Generic 113273-13 Oct 2006
[root]#
3 locations having Sun_SSH_1.1, hmm which one? .. lets try the first line.
[root]# dd if=./sshd bs=1 skip=989376 count=11 | od -A n -c
S u n _ S S H _ 1 . 1
11+0
records in
11+0 records out
[root]# dd if=./sshd bs=1 count=989376 of=sshd.1
989376+0 records in
989376+0 records out
[root]# dd if=./sshd bs=1 skip=989376 count=11 of=sshd.2
11+0 records in
11+0 records out
[root]# od -A n -c sshd.2 (testing to make sure)
S u n _ S S H _ 1 . 1
[root]# dd if=./sshd bs=1 skip=989387 count=999999999 of=sshd.3
11141+0 records in
11141+0 records out
[root]# ls -l sshd.2
-rw------- 1 root root 11 Feb 19 13:56 sshd.2
[root]# print -n JESUSLOVESu > sshd.2
[root]# ls -l sshd.2
-rw------- 1 root root 11 Feb 19 14:00 sshd.2
[root]# cat sshd.* > sshd.new
[root]# ls -l /usr/lib/ssh/sshd
-r-xr-xr-x 1 root bin 1000528 Oct 27 2006 /usr/lib/ssh/sshd
[root]# chmod 755 ./sshd.new
[root]# cp -p ./sshd.new /usr/lib/ssh/.
stop ssh;ps -ef and kill -9
cd /usr/lib/ssh
[root]# cp -p sshd sshd.ORG # back it up first
[root]# cp -p sshd.new sshd
[root]# cd /
[root]# /usr/lib/ssh/sshd # startup ssh
[root]# ps -ef |grep sshd
root 5652 1 0 14:04:28 ? 0:00 /usr/lib/ssh/sshd
root 5654 3665 0 14:04:31 pts/3 0:00 grep sshd
[root]#
[root]# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-JESUSLOVESu
box8[root]# ssh <some ip> root
Password:
Last login: Tue Feb 19 13:48:21 2008 from localhost
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
[root]#
there's a couple of errors on messages which I'll monitor for a few days but generally it works :o)
Perderabo you just saved my weekend I'll down a few brews for you this weekend.
heaps of thanx again
I am impressed!
Excellet job!
That's pretty cool Perderabo 
Just to add a word of warning though: Be careful of Solaris packages etc here as the binary will no longer have the same checksum and could trigger warnings. Possible what you're seeing in your messages file?
I forget the commandline, but you can have the pkg database update itself with a new checksum for a modified binary.
It's also possible that a checksum test elsewhere in the code could trip up.
Just worth being careful you consider all the ramifications of fiddling with code like ssh.