Very Computer

I'd like to make it *less* easy for the hacker wanna-be's
to know what OS I am running and would to get rid of
the banner that says

    SunOS 5.7

    login:

Is there a way to disable this default SunOS 5.7 part so you
just get a "login" prompt?

Thanks,
Mike

Subject: How do I prevent my machine from announcing OS version, daemon
        version, etc in the banner message?

In unix, find the daemon in question, possibly by finding its line
in /etc/inetd.conf, and read its man page.  For complex config files
(e.g. sendmail), search in the config file for the constant portions of
the string it's outputting (e.g. in sendmail.cf find the string "Sendmail"
with a capital 'S').  For telnetd, some systems have "-h" to suppress the
greeting and other systems output the contents of a file called something
like /etc/issue.  (Note that in redhat linux, you really want to modify
/etc/rc.d/rc.local rather than (or in addition to) /etc/issue*, because
it regenerates /etc/issue* upon boot.)

[paragraph repeated from the article I just wrote re sendmail banner:]
But this might not really be a security issue and it might not be worth
your effort.  Suppressing banners probably doesn't restrict any information
which is genuinely useful to an attacker.  If an attacker has some "exploit"
program for sendmail 1.2.3 only, then rather than checking the banner
to see if your machine is in fact running sendmail 1.2.3, they might as
well just run the exploit program, which is a direct check of whether
you're vulnerable.  Whereas the banner suppression *will* interfere with
some kinds of checking of sendmail versions which you yourself may want
to do occasionally.

Quote:>In unix, find the daemon in question, possibly by finding its line
>in /etc/inetd.conf, and read its man page.  For complex config files
>(e.g. sendmail), search in the config file for the constant portions of
>the string it's outputting (e.g. in sendmail.cf find the string "Sendmail"
>with a capital 'S').  For telnetd, some systems have "-h" to suppress the
>greeting and other systems output the contents of a file called something
>like /etc/issue.  (Note that in redhat linux, you really want to modify
>/etc/rc.d/rc.local rather than (or in addition to) /etc/issue*, because
>it regenerates /etc/issue* upon boot.)

     The banner  printed  by  in.telnetd   is  configurable.  The
     default  is  (more  or less) equivalent to "`uname -sr`" and
     will be used if no banner is set  in   /etc/default/telnetd.
     To set the banner, add a line of the form

(Rest deleted to keep the suspense)

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Quote:>And in Solaris 7, the in.telnetd manual page says:
>     The banner  printed  by  in.telnetd   is  configurable.

Thanks for the pointer.  I've added:

        For Solaris 2.6 and greater, put "BANNER=" (without the quotes)
        in /etc/default/telnetd.  The telnetd included with Solaris <2.6
        and SunOS can't suppress the banner, but there's no need to use
        that particular software; you could use GNU telnetd, for example;
        or you might edit the binary, as the strings appear in it.

(let me know if I've got anything wrong in there -- it's definitely not in
solaris 2.5, but my version list might still be wrong)

--
------------------------------------------------------------------

Suchandra S. Thapa

------------------------------------------------------------------