httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Taco Fleur" <tacofl...@nella.net.au>
Subject RE: [users@httpd] Stop Apache from reporting version number anywhere..
Date Mon, 26 Jan 2004 06:56:54 GMT
What are other peoples thoughts on this?

I personally reckon, that those who use automated tools are script kiddies,
i.e. not real crackers - I believe real Crackers will want to stay under the
radar and therefore perform aimed attacks instead of flooding the server
with requests that might disclose a security hole. For those aimed and
controlled attacks they first require as much info about you as possible.

But as you say I also see the flipside to it, and when not returning any of
this info people get curious, but still, I reckon only curious enough if
they know what they can expect on the other-side, i.e. a bank.

My 2cents

> -----Original Message-----
> From: Dan Trainor [mailto:dant@cavecreek.net] 
> Sent: Monday, 26 January 2004 2:44 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Stop Apache from reporting version 
> number anywhere..
> 
> 
> It's been our experience that the attack will happen regardless of 
> software version.  Most attacks now are automated, by bots, 
> doing sweep 
> on subnets and such.  It's rare anymore, in terms of numbers, to find 
> one single guy trying to take out one single site.  
> 
> Go ahead and give them your "bank name and account number".  If you 
> don't want them to have that, hop off the internet.  You have 
> to realize 
> that they've already "got it".  Numbers will show you that it 
> was done 
> in an automated process. 
> 
> I would imagine that this would also throw off some sort of 
> red flag for 
> the attacker or attack process.  I know I'd be curious if I 
> diddn't get 
> back a version when I expected to see one.
> 
> -dant
> 
> 
> Taco Fleur wrote:
> 
> >I don't think you understand one bit - I am not deluding myself and 
> >thinking it will give me security, what I do know is that I am not 
> >handing any info that will help them...
> >
> >You hand them all the info you want, I'll try and hand as 
> less possible 
> >info as I can, everyone happy.
> >
> >Taco Fleur
> >Blog http://www.tacofleur.com/index/blog/
> >Methodology http://www.tacofleur.com/index/methodology/
> >0421 851 786
> >Tell me and I will forget
> >Show me and I will remember
> >Teach me and I will learn
> >
> >
> >  
> >
> >>-----Original Message-----
> >>From: Brian Dessent [mailto:brian@dessent.net]
> >>Sent: Monday, 26 January 2004 2:06 PM
> >>To: users@httpd.apache.org
> >>Subject: Re: [users@httpd] Stop Apache from reporting version 
> >>number anywhere..
> >>
> >>
> >>Taco Fleur wrote:
> >>
> >>    
> >>
> >>>I didn't think it would patch any security holes.
> >>>
> >>>I don't agree with what you are saying, I believe displaying the
> >>>webserver software and version is like giving someone my 
> Bank name, 
> >>>account type and branch address, all they need to find out 
> >>>      
> >>>
> >>is what my
> >>    
> >>
> >>>PIN is.
> >>>      
> >>>
> >>It's giving them info that they will have regardless of
> >>whether you tell them or not.  If you honestly think someone 
> >>is going to probe your server and see the 'Header:' string 
> >>that doesn't contain a version number, and then say "Well, so 
> >>much for that, I guess he's not vulnerable" then you are 
> >>seriously deluding yourself.  When someone wants to know if 
> >>your server is vulnerable to an exploit, they try the 
> >>exploit.  They don't go by what version the server reports.  
> >>And if you seriously think that the only way to identify the 
> >>server software and version is by looking at the 'Header:' 
> >>field then you really need to read up on the security field.
> >>
> >>This is especially true in the age of packporting.  The
> >>redhat apache version is still 2.0.40, but they've backported 
> >>all of the serious flaws from the current .48.  So if an 
> >>attacker was scanning simply based on version numbers they 
> >>would have tons and tons of false positives for all those 
> >>Redhat systems out there.  In other words, attackers are not 
> >>fooled by what that header says.  Not displaying a version 
> >>number is not going to deter anyone.
> >>
> >>Feel free to hide the version number if you really want to,
> >>but DON'T delude yourself into thinking that it affords you 
> >>some degree of security.  If you have vulnerabilities you 
> >>need to fix them, period. 
> >>Changing the version string is not insurance against anything.
> >>
> >>Brian
> >>
> >>------------------------------------------------------------
> ---------
> >>The official User-To-User support forum of the Apache HTTP
> >>Server Project. See 
> >><URL:http://httpd.apache.org/userslist.html> for more info. 
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>    
> >>
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server 
> >Project. See <URL:http://httpd.apache.org/userslist.html> for more 
> >info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> >  
> >
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project. See 
> <URL:http://httpd.apache.org/userslist.html> for more info. 
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message