I'm sorry if this information is out there somewhere. I can't think of and appropriate search to turn it up.
Here is my issue. Our company just went through a PCI compliance scan from a company called Trustwave. They obviously scan ports and figure out which are being used for what, I get that.
One of the things they reported was the version of Ubuntu we have installed on our server.
My question is what TCP request to Ubuntu will reply with the version information and how do I stop that from happening. I can't see how this is a good thing. Also how the heck are they doing it from the untrusted side of a router/firewall (3com). The only thing I can think of is that the information is included in header of some sort when a connection is attempted.
I've changed the default port for everything and the server is most certainly NOT in a DMZ anyway. Is this info included in some of the headers for SSH connections, for example, prior to an actual login?
I don't want people from the internet to know my server version for obvious reasons. If Trustwave can do it I'm sure someone will figure out how to exploit that if a vulnerability is documented for a particular version. I'm on a downlevel version 12.04.1 of Ubuntu LTS.
Thanks in advance.
Here is my issue. Our company just went through a PCI compliance scan from a company called Trustwave. They obviously scan ports and figure out which are being used for what, I get that.
One of the things they reported was the version of Ubuntu we have installed on our server.
My question is what TCP request to Ubuntu will reply with the version information and how do I stop that from happening. I can't see how this is a good thing. Also how the heck are they doing it from the untrusted side of a router/firewall (3com). The only thing I can think of is that the information is included in header of some sort when a connection is attempted.
I've changed the default port for everything and the server is most certainly NOT in a DMZ anyway. Is this info included in some of the headers for SSH connections, for example, prior to an actual login?
I don't want people from the internet to know my server version for obvious reasons. If Trustwave can do it I'm sure someone will figure out how to exploit that if a vulnerability is documented for a particular version. I'm on a downlevel version 12.04.1 of Ubuntu LTS.
Thanks in advance.
No comments:
Post a Comment