Many text-based protocols (FTP, SSH, Telnet, SMTP, finger, HTTP, POP3, identd/auth, and UUCP) issue text banners when users connect to the service, and the information displayed in the banner can be used to fingerprint the service. Because many banners reveal exact versions of the product, crackers can find exploits to use if they invest time looking. Crackers can look up the listed version numbers to discover which exploit works on a particular system. For example, the telnet server shipped with the 2.0.31 Linux kernel is known to be vulnerable to exploits. Here is how a cracker can be tipped off about the vulnerability for Telnet. The banner for the protocol would read as follows (note the line which reads “Kernel 2.0.31 on an i586”):
For this reason, many security experts recommend—and, in fact, doing so is required in some jurisdictions—displaying a banner “warning off” all unauthorized users. This warning also serves the purpose of avoiding a limitation imposed on system administrators through the U.S. Federal Wiretap Act. Communication on a network may not be monitored by anybody if the initiator can claim a reasonable expectation of privacy. System administrators therefore set up the banners for their services to state that access to their services will be monitored. Moreover, it is recommended to system administrators that all version information be suppressed in the banners. Some system administrators alter banners to purposely disinform an attacker so as to put an attacker on a wild goose chase. A perfect example is making Microsoft’s IIS Web server advertise itself as something else, such as a checkpoint server on a Solaris UNIX machine.
Graham, R. Hacking Lexicon. [Online, 2001.] Robert Graham Website. http://www.linuxsecurity.com/resource_files/documentation/hacking-dict.html.