* On Tue, Jan 13, 2004 at 02:25:36PM +0000, Ivan Ristic wrote:
> Because I believe that changing the signature prevents some
> automated tools from attacking the server.
This is a valid point.
> I recently changed the signature of the Apache running on
> modsecurity.org (to pretend to be IIS5). As a result, I've started
> getting more IIS-related attacks than before. So, the signature
> does matter.
Exactly. In an enterprise where I am responsible for 1000+ web
servers, we ran metrics to see the ratios in which servers' signatures
were "examined". Not to be anti-IIS or anything, but the scans against IIS
outweighed the Apache scans in the range of 8:1, or somewhere in those
lines.
I also would like to say that the majority of those (Apache) metrics
exhibited more "examinations" which were specific to code
vulnerabilities, not server-specific vulnerabilities.
To close, I don't think adding any type of directive to falsify
SERVER_SOFTWARE would be of any benefit, except to add a false sense
of security.
--
Chip Cuccio | chipster[at]norlug[.]org
NORLUG VP and Sysadmin | <http://norlug.org/~chipster/>
Northfield Linux Users' Group | Northfield, Minnesota USA
|