Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Message-ID: <3D357C66.1030704@peak.org>
Date: Wed, 17 Jul 2002 10:17:10 -0400
From: Tim Luoma <luomat@peak.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.1a+) Gecko/20020709 MultiZilla/v1.1.18
MIME-Version: 1.0
To: users@httpd.apache.org
Subject: Re: How can I hide web server from netcraft?
References: <2.2.32.20020717105435.01132300@kwinternet.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Eric Frazier wrote:
> Hi,
> 
> I disagree, I think it is very useful to hide version info at the very
> least. That is the first clue humans, and scripts look for, old versions of
> stuff. Yes, you could figure out what version of Apache someone has from
> really knowing the change logs, but I bet that would be a hell of a lot more
> difficult than a telnet to port 80 :) 

> Anyway, the less info you broadcast, the harder you make it for the avg
> kiddie. Same reasoning as limiting open ports, it is about avgs, about
> security being made up of a several strategies, not just one I am secure
> because I did blank strategy. 

You have a mistaken notion, which was addressed elsewhere, that there 
are 'kiddies' who are sitting down one by one and checking your Apache 
version by hand (or by script) and then trying an attack.

That's not the way it's done.

If I check my logs, I'll find a dozen entries a day looking for 
/_vti_bin/owssvr.dll and /MSOffice -- these are automated scripts 
looking for holes on a block of IPs at a time, regardless of what Apache 
version you say you're running.

If you're going to get people looking for IIS holes when you aren't even 
running IIS, do you think changing your Apache version will make any 
difference?

TjL


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org