httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: TRACE still enabled by default
Date Wed, 21 Mar 2012 12:55:00 GMT


Am 21.03.2012 13:48, schrieb Tim Bannister:
> On 21 Mar 2012, at 12:39, Reindl Harald wrote:
> 
>> 1 out of a million servers needs TRACE enabled
>>
>> it was ALWAYS a good idea to disable ANYTHING by default what is not really needed
and this principle will stay
> 
> inetd normally ships with echo not running, but kernels usually ship with ICMP enabled.

> I think TRACE is more like ICMP echo than tcp/7 echo.

strange comparision

> If a distribution wants to ship a default configuration that 
> disables TRACE, isn't that enough? 

no, because distributions in the most cases are expecting
that the upstream defaults are usefull and have reason

> The issue is naïve / lazy server admins, and almost all of those 
> will install httpd from a distribution

OK, so you call me "lazy" and "naive" because i heard
about TRACE the first time after complaints of a security
audit of a big customer while i spent many nights to search
about server hardening the last years?

fact is that nessus-scans usually complaining about TRACE on
and depending on the policies of the customer you MUST disable
it while you even not knew waht it is, that it is enabled
and hell i do not find any case where it could be useful



Mime
View raw message