Disable SSH OS Banner on FreeBSD

By | 2014/07/18

By default, FreeBSD includes an SSH banner that identifies the exact OS. For best security, you may wish to disable broadcasting this information to the world. Here’s the tip!


mini-FAQ on OpenSSH Banners

Note: For OpenSSH to operate, it must specify the version in the banner in order for clients to be able to properly connect. For example, this type of stuff must remain:

SSH-2.0-OpenSSH_6.6.1p1

What you can disable is extra banner information, in this case one that broadcasts: “FreeBSD-20140420”.

SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420

You can check the banner using netcat:

$ nc -v raleigh.stmiller.org 22
DNS fwd/rev mismatch: raleigh.stmiller.org != mwa0.x.rootbsd.net
raleigh.stmiller.org [162.217.113.122] 22 (ssh) open
SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420
^C


Disable extra banner information

1. Edit the file /etc/ssh/sshd_config

Locate the line #VersionAddendum FreeBSD-20140420 and replace with VersionAddendum and no value.

...
#Compression delayed
ClientAliveInterval 300
ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum FreeBSD-20140420
VersionAddendum 
...


2. Restart ssh

$ sudo /etc/rc.d/sshd restart

Extra banner information is now removed:

$ nc -v raleigh.stmiller.org 22
DNS fwd/rev mismatch: raleigh.stmiller.org != mwa0.x.rootbsd.net
raleigh.stmiller.org [162.217.113.122] 22 (ssh) open
SSH-2.0-OpenSSH_6.6.1_hpn13v11
^C

6 thoughts on “Disable SSH OS Banner on FreeBSD

  1. Claus Conrad

    Thanks, this was very helpful. I ran a security audit on my server and the addendum was listed as a “low risk” vulnerability. Your post helped me to remove it.

    Reply
  2. ladnad

    Thanks fo this,

    Is it possible to disable also the version of openssh ?

    Reply
    1. Scott Miller Post author

      Unfortunately it is not possible to disable broadcasting the version. This is not a FreeBSD thing, but an openssh thing. For ssh to operate with clients, it requires the server to broadcast the version.

      Cheers,

      Reply
  3. Miklos

    Hi , this does not work on 10.3. When I reload ssh daemon, I get:

    Performing sanity check on sshd configuration.
    /etc/ssh/sshd_config line 122: Missing argument.

    I need to specify something after the option in sshd_config .

    Reply
    1. Guy

      I had the same issue. You need to set “VersionAddendum none”.

      When you connect, it will not show “none”, it will just be blank space:

      $ nc -v example.com 22
      Connection to example.com port 22 [tcp/ssh] succeeded!
      SSH-2.0-OpenSSH_7.2
      ^C

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.