Remove operating system information from ssh

Nmap OS Detection

If you want to scan a machine with nmap, you can retrieve a whole host of information. One of these is the operating system with nmap, and more specifically the flag for OS detection.

$ nmap -A domain.tld

Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-03 00:00 CET
Nmap scan report for domain.tld (XXX.XX.XX.X)
Host is up (0.55s latency).
Other addresses for domain.tld (not scanned): ::1
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds

With this scan, we know that the scanned machine is Ubuntu. Specifically with the ssh Version: OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol.

You can disable the OS information and its version by adding DebianBanner=no to the /etc/ssh/sshd_config config file.

We can restart the ssh service and run our OS detection again, and the information is no longer visible.

systemctl restart ssh

Tip

If you want to go further and not display the ssh version, you need to change the source code and compile the ssh binary yourself.

$ nmap -A domain.tld

Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-03 00:00 CET
Nmap scan report for domain.tld (XXX.XX.XX.X)
Host is up (0.55s latency).
Other addresses for domain.tld (not scanned): ::1
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.9p1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds

Ubuntu information has disappeared!

Ansible playbook

For greater efficiency and adoption on all your machines, an ssh playbook can be set up like this.

---
- name: Disable Debian Banner in SSH Configuration
 hosts: all
 become: true  # Run tasks with sudo (or become_method of your choice)

 tasks:
   - name: Add DebianBanner no to sshd_config
     lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^DebianBanner'
       line: 'DebianBanner no'
       state: present
     notify:
       - restart sshd

 handlers:
   - name: restart sshd
     service:
       name: sshd
       state: restarted

We can create a hosts file with all the machines to be updated.

[all:vars]
ansible_user='root'
ansible_become=yes
ansible_become_method=sudo
ansible_python_interpreter='/usr/bin/env python3'
become_method=dzdo
[servers]
domain.tld
domain1.tld
domain2.tld

We can now launch our ansible playbook!

ansible-playbook -i hosts ssh-banner.yml

No machine now returns information from our operating system.

Nmap OS Detection#

Ansible playbook#

Nmap OS Detection

Ansible playbook