httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Suggestion (security related)
Date Wed, 22 Jan 2003 15:33:44 GMT

On Wed, 22 Jan 2003, Lars Hecking wrote:
>  The default httpd.conf file that gets installed should set ServerTokens to
>  Prod rather than Full. Especially with 1.3.x, the information about the
>  installed OpenSSL version makes it effortlessly simple to find out whether
>  a web server is vulnerable to one of the published OpenSSL remote root
>  exploits.

This debate comes up every couple months.

Disguising the identity of the server provides almost no security because:

1. A smart hacker can easily figure it out using more subtle tests.

2. A stupid hacker doesn't care, he just tries every possible exploit on
every possible system.

One variant of the OpenSSL worm was a rare exception that actually did
look at the Server header.  In most cases, the worms try every system
regardless.  That is why users of Apache see so many Code Red/etc worms
in their access logs, even though they only exploit IIS.

In certain cases it may be beneficial to hide the Server header.  But not
as a default.  You give up too much information that is useful in problem
solving.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message