httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Cohen" <li...@gej-it.com>
Subject RE: [users@httpd] Setup HTTP server
Date Sat, 12 Apr 2003 02:10:07 GMT
Tim, I remember a discussion regarding that was posted couple of days after
I subscribed to the list, you might be able to find in the Archives.
At the end of it everybody agreed that a secure server and the blocked
server tokens have nothing in commit related to any security issues UNLESS
you don't keep your server and the server's packages up-to-date for the
whole period that it's facing the global network (The Internet).
Most admins prefer to block the tokens for some reasons, me for example, I'm
hosting 6 different business web sites, and I'm not afraid that the whole
world will know that I'm running it on a Win32 machine, I know that I keep
my server up-to-date with every patch. Most of the times, I just don't have
the time for it, but I am finding the time in order to serve better.

All the best,
Jeff Cohen

> -----Original Message-----
> From: Tim Wort [mailto:tim@pobox.com]
> Sent: Friday, April 11, 2003 9:59 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Setup HTTP server
> 
> 
> 
> 
> I have to disagree with you here Joshua, while I do agree security by
> obscurity is not in it's self good security it does help. Many hackers
> scan the net just to have databases of what server, OS , sendmail etc is
> where so that when a new exploit comes around they can use it against a
> know group of systems.
> 
> Most, if not all security classes include information about hiding banners
> for services like sendmail, hiding the apache version can only help and I
> see no downside. IMHO
> 
> 
> 
> On Fri, 11 Apr 2003, Joshua Slive wrote:
> 
> >
> > On Fri, 11 Apr 2003, Loc Nguyen wrote:
> >
> > > I am doing this because there is a lot of hacker is using the result
of
> > > the OPTIONS method to fingerprint the web server. Dropping this
> > > information help to protect the server a little bit more.
> > >
> >
> > Not really.  The way to protect your server is to keep it secure, not to
> > hide insecurity.  Dropping OPTIONS just makes your server less useful.
> >
> > Trying to hide the identify of your server doesn't help because:
> >
> > 1. Stupid skript-kiddies don't really care what you are running.  They
> > just try every hack against every IP address they can find.
> >
> > 2. Smart crackers will be able to find information about your server in
> > hundreds of different ways with or without OPTIONS.
> >
> > Joshua.
> >
> >
> >
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> =        Inkling Research Inc.      =
> =    Tim.Wort@InklingResearch.com   =
> =        Tim.Wort@pobox.com         =
> =                                   =
> =        Eschew Obfuscation         =
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message