I’m working on a customer application and after a security pen testing commissioned by them to the BalenaOS (production version), it was noticed that the port 22222 is opened, which makes sense because this is the port exposed for the SSH server service as explained here. However, one can see that after establishing a TCP connection to the device in that port, there’s a banner indicating the SSH and OpenSSH version:
Now, the questions is, is there any way to remove this banner at the BalenaOS level, maybe some OS configuration flag or something of that sort ?
The motivation behind this question is simply a security concerned from my customer, where malicious third parties might exploit any future vulnerability after finding it out the OpenSSH version running in the devices.
I’ll appreciate anyone shedding some light my way with respect to this question.
According to this ServerFault post, OpenSSH does not allow configuring this and it would be necessary to patch and recompile OpenSSH’s source code. This is consistent with @TJvV’s explanation re RFC. The host OS of balenaOS (as opposed to application containers) is currently somewhat limited regarding runtime service reconfiguration, and the only option I am aware of would be to build a custom balenaOS image. Custom images, however, cannot be updated through the balenaCloud web dashboard. We are working on a feature that will allow applications to make a number of runtime configuration changes to the host OS, but even then I don’t think that changing the OpenSSH identification string would be possible without building a new balenaOS image, given that it is not something configurable by OpenSSH itself.