httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Cuccio <chips...@norlug.org>
Subject Re: Proposal: Allow ServerTokens to specify Server header completely
Date Tue, 13 Jan 2004 14:38:39 GMT
* On Tue, Jan 13, 2004 at 02:25:36PM +0000, Ivan Ristic wrote:
>   Because I believe that changing the signature prevents some
>   automated tools from attacking the server.

This is a valid point.

>   I recently changed the signature of the Apache running on
>   modsecurity.org (to pretend to be IIS5). As a result, I've started
>   getting more IIS-related attacks than before. So, the signature
>   does matter.

Exactly. In an enterprise where I am responsible for 1000+ web
servers, we ran metrics to see the ratios in which servers' signatures
were "examined". Not to be anti-IIS or anything, but the scans against IIS
outweighed the Apache scans in the range of 8:1, or somewhere in those
lines.

I also would like to say that the majority of those (Apache) metrics
exhibited more "examinations" which were specific to code
vulnerabilities, not server-specific vulnerabilities.

To close, I don't think adding any type of directive to falsify
SERVER_SOFTWARE would be of any benefit, except to add a false sense
of security.

-- 
Chip Cuccio                    |  chipster[at]norlug[.]org
NORLUG VP and Sysadmin         |  <http://norlug.org/~chipster/>
Northfield Linux Users' Group  |  Northfield, Minnesota USA

Mime
View raw message