Home / server / Questions / 1073403
In Process
AhmedWas
Asked: 2021-08-04 04:11:09 +0800 CST

How can I know if the current running SSH server is OpenSSH or Dropbear?

  • 772

If I go inside the file /etc/ssh/ssh_config, I can see "$OpenBSD" at the top of file. However, if I change the default port to a different value, it doesn't seem to work. A colleague informed me that's because Dropbear is the software server here, not OpenSSH.

Is there a way to be sure? I can't find an answer googling that.

linux ssh dropbear

4 Answers

  1. Connect to the ssh port (e.g. 22) and inspect the banner.

    $ nc 10.0.0.10 22
SSH-2.0-OpenSSH_8.6
    • 24

  2. Most (if not all?) SSH servers send some sort of version string immediately upon connecting. In a small research project of mine I tried to map SSH server version across a large IPv4 space, and what I did was basically nc address port.

    I baked it into a perl script with a timeout for easier processing on my side, as well as an optional timeout with a default value:

    #!/usr/bin/perl
use warnings;
use strict;

unless ($ARGV[0] && $ARGV[1]) {  die "Usage: ./raw hostname port [timeout]\n" }
my $timeout = '10s';
if ($ARGV[2]) {  $timeout = $ARGV[2] }

my $response = `timeout $timeout nc $ARGV[0] $ARGV[1]`;
print $response;

    Testing it against a server on my network:

    ./sshbanner.pl 172.16.16.11 22
SSH-2.0-OpenSSH_5.3
    • 6

  3. If you are on the server, look at the process attached to the network port where ssh is expected (22 or something else).

    You can use netstat or ss for that. You will then be able to find the full command line of the running server which may be enough to identify it or else you may use to other options:

    • running strings on it is really the last course of actions but can yield results (you will most certainly find back also the string that is reported by the server remotely, as other answers show)
    • you can find the open files the process has (look in /proc/$PID/fd) which may yield either a link to a configuration file, or a logfile, and ideally the logfile would give enough information to pinpoint what process this is.

    Or depending on your system and setup, for example you can use systemctl list-units to see exactly what runs currently, and what is the ssh server (then by inspecting systemd unit file you will see what command line it is, and other information)

    If you are external to the server, then see other answers, but there is no guarantee that was is returned from remote server is the truth, it can displays itself as whatever it wants.

    Another option remotely would be to do some "SSH fingerprinting". I haven't seen that directly, but I am sure it exists. Basically by testing various types of connections, one can determine some info from the remote part, besides what it claims to be. I guess multiple vulnerability scanners have things like that.

    • 3

  4. You can use ps to get the list of processes and grep the output for sshd.
    With this, you will get the path to the executable binary {{ eg /usr/sbin/sshd or something like that }}.
    You can then execute this binary with -? to get the help & usage information. This output will contain the Definitive Name of the Package {{ eg OpenSSH or Dropbear or something like that }}.

    • 1