httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Setup HTTP server
Date Mon, 14 Apr 2003 12:30:08 GMT
>-----Original Message-----
>From: Tim Wort [mailto:tim@pobox.com]
>
>That isn't a hacker, it's a worm. 

And who wrote the worm? It didn't write itself...

>You are certainly entitled to your opinion, even if it is flawed. :^)

It is only your opinion that my opinion is flawed (this could go on all day :-)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>Do as you wish Owen.
>
>>
>> Rgds,
>> Owen Boyle
>> Disclaimer: Any disclaimer attached to this message may be ignored.
>>
>> >-----Original Message-----
>> >From: Tim Wort [mailto:tim@pobox.com]
>> >Sent: Samstag, 12. April 2003 05:46
>> >To: users@httpd.apache.org
>> >Subject: Re: [users@httpd] Setup HTTP server
>> >
>> >
>> >
>> >As a matter of fact, I instruct security courses (Linux and
>> >Sun), have for
>> >some years. My comments were about the banner only, not options.  I
>> >suppose you can dismiss the recomendations of groups like
>> >Sans, Security
>> >Focus, Sun Blueprints and others. Information linkage is often
>> >listed and
>> >one of the major security problems.
>> >
>> >When I instruct a course I never tell people that must do 
>anything, I
>> >recently had a student tell me ssh was to complex to use. 
>I, of course,
>> >do not agree but hey, it's his box, network, system, 
>company. He can do
>> >as he pleases.
>> >
>> >All security is a trade off.
>> >
>> >To each his own.
>> >
>> >On Fri, 11 Apr 2003, Joshua Slive wrote:
>> >
>> >>
>> >> On Fri, 11 Apr 2003, Tim Wort wrote:
>> >>
>> >> > I have to disagree with you here Joshua, while I do agree
>> >security by
>> >> > obscurity is not in it's self good security it does help.
>> >Many hackers
>> >> > scan the net just to have databases of what server, OS ,
>> >sendmail etc is
>> >> > where so that when a new exploit comes around they can use
>> >it against a
>> >> > know group of systems.
>> >> >
>> >> > Most, if not all security classes include information
>> >about hiding banners
>> >> > for services like sendmail, hiding the apache version can
>> >only help and I
>> >> > see no downside. IMHO
>> >>
>> >> The fact that a security class includes something doesn't
>> >necessarily mean
>> >> it is good security.  These people need to find something to
>> >teach you
>> >> if they are going to charge big bucks ;-)
>> >>
>> >> I can't argue that these practices will never save you 
>from anything.
>> >> Certainly, there are some crackers out there who are too
>> >lazy to try a
>> >> hack on every IP address and too stupid to figure it out 
>without the
>> >> banner.  But these things are always a tradeoff.  For this
>> >miniscule bit
>> >> of security you lose:
>> >>
>> >> 1. Your time, that could be better spent working on real
>> >security issues.
>> >>
>> >> 2. Functionality.  In the case of ServerTokens, you make it
>> >more difficult
>> >> for people to debug problems.  In the case of OPTIONS, 
>you disable a
>> >> feature that can be used by advanced web clients.
>> >>
>> >> For me, there is no question that the benefit of this hiding
>> >is way too
>> >> small to outweigh those costs.
>> >>
>> >> Of course, I'm not in any way a security expert, so you
>> >should feel free
>> >> to ignore what I say ;-)
>> >>
>> >> Joshua.
>> >>
>> >> 
>---------------------------------------------------------------------
>> >> The official User-To-User support forum of the Apache HTTP
>> >Server Project.
>> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> >> For additional commands, e-mail: users-help@httpd.apache.org
>> >>
>> >>
>> >>
>> >
>> >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>> >=        Inkling Research Inc.      =
>> >=    Tim.Wort@InklingResearch.com   =
>> >=        Tim.Wort@pobox.com         =
>> >=                                   =
>> >=        Eschew Obfuscation         =
>> >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>> >
>> >
>> >
>> 
>>---------------------------------------------------------------------
>> >The official User-To-User support forum of the Apache HTTP
>> >Server Project.
>> >See <URL:http://httpd.apache.org/userslist.html> for more info.
>> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> >For additional commands, e-mail: users-help@httpd.apache.org
>> >
>> >
>>
>> This message is for the named person's use only. It may contain
>> confidential, proprietary or legally privileged information. No
>> confidentiality or privilege is waived or lost by any 
>mistransmission.
>> If you receive this message in error, please notify the 
>sender urgently
>> and then immediately delete the message and any copies of it 
>from your
>> system. Please also immediately destroy any hardcopies of 
>the message.
>> You must not, directly or indirectly, use, disclose, 
>distribute, print,
>> or copy any part of this message if you are not the intended 
>recipient.
>> The sender's company reserves the right to monitor all e-mail
>> communications through their networks. Any views expressed in this
>> message are those of the individual sender, except where the message
>> states otherwise and the sender is authorised to state them to be the
>> views of the sender's company.
>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP 
>Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>=        Inkling Research Inc.      =
>=    Tim.Wort@InklingResearch.com   =
>=        Tim.Wort@pobox.com         =
>=                                   =
>=        Eschew Obfuscation         =
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message