httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: Stripping out all version info?
Date Wed, 21 Aug 2002 12:07:16 GMT
>From: David Yip [mailto:dy@davidyip.com]
>
>I do think it is a good practice to send bogus server name and version 
>since most of the vulnerability scanners depend on this and 
>this is the simplest way to fool them.

Oh really? Then why is it that my Unix Apache server gets millions of CodeRed and Nimda attacks
which would only work against a II/S server? Why are they not "fooled"?

You should make sure your server is secure - then it doesn't matter if people know your OS,
version etc. If it is not secure then hiding your signature will not save you.

Consider the following scenario:

Boss: So we got hacked - all our customer data was stolen and we've lost the trust of all
our users - how did they get in?

Sysadmin: The used a chunked-encoding hack that 1.3.23 is vulnerable to.

Boss: What version are we running?

Sysadmin: 1.3.23

Boss: WHY DIDN'T WE UPGRADE!!!

Sysadmin: I didn't think it was necessary... I hid the version number - I don't understand
how they guessed it!

Boss: <guess the rest>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message