Hi,
on the old Vyos I can´t see the ssh version. That is good so.
But on the Vyos 1.4 RC3 I can see the ssh version.
When I execute nmap -sV -p 22 vyoshost I see the version from the OpenSSH server
Which option that I have to mask this information?
Greetz
Hiding the SSH version is just security by obscurity. An attacker doesn’t care about the version you are running. They just fire an exploit and see what happens…
If you don’t want people to know what version you are using, then only allow access from certain IPs/Networks.
I agree with @roedie.
Hiding/changing the version is just a false security. The attacker dont care about what version your exposed service claims to be running - they will fire all available explots incl 0-day vulns.
The proper way to deal with this is to make sure that your SSH login is never exposed to any other than permitted users. For example locked to the MGMT-VLAN or MGMT-VRF and/or apply ACL to filter which hosts will even get a respond in return.
Like so:
set service ssh access-control allow user 'vyos'
set service ssh ciphers 'aes256-gcm@openssh.com'
set service ssh dynamic-protection allow-from '192.168.255.0/24'
set service ssh dynamic-protection block-time '60'
set service ssh dynamic-protection detect-time '3600'
set service ssh dynamic-protection threshold '10'
set service ssh listen-address '192.168.255.1'
set service ssh mac 'hmac-sha2-512'
set service ssh rekey data '1024'
set service ssh rekey time '60'
set service ssh vrf 'VRF_MGMT'