September 14th, 2006, 08:26
I'm scanning my servers to see what info they give out. I've managed to minimise what Apache can give out with the ServerTokens Prod directive, but I'd really like to stop mysql giving out the version too. I just can't seem to find out how this is done.

-zombie@puffix (~) $ sudo nmap -A -sS X.X.X.X
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-09-14 14:01 BST
Interesting ports on X.X.X.X:
Not shown: 1673 closed ports
21/tcp open ftp ProFTPD
25/tcp open smtp Postfix smtpd
53/tcp open domain
80/tcp open http Apache httpd
199/tcp open smux Linux SNMP multiplexer
443/tcp open ssl/http Apache httpd
3306/tcp open mysql MySQL 4.1.20
MAC Address: XX:XX:XX:XX:XX:XX (Addtron Technology CO.)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.4.7 - 2.6.11
Service Info: Host: X.X.X.X; OSs: Unix, Linux

Nmap finished: 1 IP address (1 host up) scanned in 16.886 seconds

If I telnet to the port, I can see that it's giving out the version no.:

-zombie@puffix (~) $ telnet X.X.X.X 3306
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.

Any ideas?

September 15th, 2006, 07:22
Can that MySQL port be seen from the Internet? If so: eeks! Slap a filter rule over that el pronto. I assume you don't have external MySQL clients.

And see if you can configure ftpd to not give a banner; that'd help a bit.

September 15th, 2006, 09:11
no, the mysql port is internal only. I'm trying to find out how to disable the ProFTPD and Postfix banners too.

September 15th, 2006, 09:14
I wouldn't bother removing the Postfix banner. Having it there should avoid repeated cracking attempts. "Nothing to see here, folks. Move along." :-)

September 15th, 2006, 23:05
you can disable the postfix banner using the "smtpd_banner" option in the main.cf
I remove the default postfix banners and replace it with something geeky. Not exactly legal according to the rfc's.

bmw is correct, there's really no need to remove the postfix banner, postfix has a impeccable track record.

I think the proftpd banner can be turned off using the "ServerIdent" directive in your proftpd.conf though nmap will still likely identify proftpd correctly.

Never tried looked at changing the MySQL banner. I rarely have a need to bind mysqld to anything but the lo0 interface. In the rare instance when I have bound MySQL to anything other than lo0 I have always written fw rules that restrict access to those hosts that need access.

October 4th, 2006, 16:17
If it's localhost only communication to the mysql server you could just entirely disable networking all together.

inside the my.cnf

skip networking

then you pretty much communicate though the /tmp/mysql.sock file