httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Luoma <luo...@peak.org>
Subject Re: How can I hide web server from netcraft?
Date Wed, 17 Jul 2002 14:17:10 GMT
Eric Frazier wrote:
> Hi,
> 
> I disagree, I think it is very useful to hide version info at the very
> least. That is the first clue humans, and scripts look for, old versions of
> stuff. Yes, you could figure out what version of Apache someone has from
> really knowing the change logs, but I bet that would be a hell of a lot more
> difficult than a telnet to port 80 :) 

> Anyway, the less info you broadcast, the harder you make it for the avg
> kiddie. Same reasoning as limiting open ports, it is about avgs, about
> security being made up of a several strategies, not just one I am secure
> because I did blank strategy. 

You have a mistaken notion, which was addressed elsewhere, that there 
are 'kiddies' who are sitting down one by one and checking your Apache 
version by hand (or by script) and then trying an attack.

That's not the way it's done.

If I check my logs, I'll find a dozen entries a day looking for 
/_vti_bin/owssvr.dll and /MSOffice -- these are automated scripts 
looking for holes on a block of IPs at a time, regardless of what Apache 
version you say you're running.

If you're going to get people looking for IIS holes when you aren't even 
running IIS, do you think changing your Apache version will make any 
difference?

TjL



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message