Disable Debian Banner Suffix on SSH Server

By | 2011/06/14


While ssh requires broadcasting the exact version number for the protocol of the openssh spec, you can opt to disable broadcasting of the ‘Debian’ suffix that is added by default.

By default your server provides something like this to the world:

OpenSSH 5.2p1 Debian 7ubuntu3.5 (protocol 2.0)

I’ll show you how to change that and remove the distribution information!


Side note: This was only introduced in Debian as of openssh 5.2p-1-2 (2009). Ironically in classic Debian drama style, this was first brought up in 2002, though was not added in from persons saying it was not a security concern.

From man sshd_config:

DebianBanner
         Specifies whether the distribution-specified extra version suffix
         is included during initial protocol handshake.  The default is
         ``yes''.

1. Edit this file:

$ sudo nano /etc/ssh/sshd_config 

2. Enter the following line:

DebianBanner no
ssh_nobanner

3. Save the config file and restart ssh

Control+X, Y to save in nano

Restart ssh:

sudo /etc/init.d/ssh restart

Done!


You can test the banner with nmap:

$ sudo nmap -A -T4 -p 22 example.com

Before:

PORT    STATE SERVICE  VERSION
22/tcp open  ssh     OpenSSH 5.2p1 Debian 7ubuntu3.5 (protocol 2.0)

After:

22/tcp  open  ssh      OpenSSH 5.2p1 (protocol 2.0)