httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Wort <...@pobox.com>
Subject RE: [users@httpd] Setup HTTP server
Date Sat, 12 Apr 2003 02:27:08 GMT

I don't disagree with anything you say. I would agree that blocking tokens
doesn't enhance the security of the server, however, it is still a good
security practice.

I would also point out that while I too keep my servers secure I can't
protect them against a new exploit I am not yet aware of. I still don't
see a downside to blocking that information where possible. An extra layer
can't hurt.

As I said, banner hiding is a common and recommended security practice.
So, I guess I have to decent with the opinions you sited.

That's okay, we can agree to disagree. :^)

Take care...


On Fri, 11 Apr 2003, Jeff Cohen wrote:

> Tim, I remember a discussion regarding that was posted couple of days after
> I subscribed to the list, you might be able to find in the Archives.
> At the end of it everybody agreed that a secure server and the blocked
> server tokens have nothing in commit related to any security issues UNLESS
> you don't keep your server and the server's packages up-to-date for the
> whole period that it's facing the global network (The Internet).
> Most admins prefer to block the tokens for some reasons, me for example, I'm
> hosting 6 different business web sites, and I'm not afraid that the whole
> world will know that I'm running it on a Win32 machine, I know that I keep
> my server up-to-date with every patch. Most of the times, I just don't have
> the time for it, but I am finding the time in order to serve better.
>
> All the best,
> Jeff Cohen
>
> > -----Original Message-----
> > From: Tim Wort [mailto:tim@pobox.com]
> > Sent: Friday, April 11, 2003 9:59 PM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Setup HTTP server
> >
> >
> >
> >
> > I have to disagree with you here Joshua, while I do agree security by
> > obscurity is not in it's self good security it does help. Many hackers
> > scan the net just to have databases of what server, OS , sendmail etc is
> > where so that when a new exploit comes around they can use it against a
> > know group of systems.
> >
> > Most, if not all security classes include information about hiding banners
> > for services like sendmail, hiding the apache version can only help and I
> > see no downside. IMHO
> >
> >
> >
> > On Fri, 11 Apr 2003, Joshua Slive wrote:
> >
> > >
> > > On Fri, 11 Apr 2003, Loc Nguyen wrote:
> > >
> > > > I am doing this because there is a lot of hacker is using the result
> of
> > > > the OPTIONS method to fingerprint the web server. Dropping this
> > > > information help to protect the server a little bit more.
> > > >
> > >
> > > Not really.  The way to protect your server is to keep it secure, not to
> > > hide insecurity.  Dropping OPTIONS just makes your server less useful.
> > >
> > > Trying to hide the identify of your server doesn't help because:
> > >
> > > 1. Stupid skript-kiddies don't really care what you are running.  They
> > > just try every hack against every IP address they can find.
> > >
> > > 2. Smart crackers will be able to find information about your server in
> > > hundreds of different ways with or without OPTIONS.
> > >
> > > Joshua.
> > >
> > >
> > >
> >
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > =        Inkling Research Inc.      =
> > =    Tim.Wort@InklingResearch.com   =
> > =        Tim.Wort@pobox.com         =
> > =                                   =
> > =        Eschew Obfuscation         =
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=        Inkling Research Inc.      =
=    Tim.Wort@InklingResearch.com   =
=        Tim.Wort@pobox.com         =
=                                   =
=        Eschew Obfuscation         =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message