httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Wort <...@pobox.com>
Subject RE: [users@httpd] Setup HTTP server
Date Mon, 14 Apr 2003 12:24:48 GMT
On Mon, 14 Apr 2003, Boyle Owen wrote:

> This thread pops up every so often and is always interesting... If
> hackers bothered about checking the ServerTokens string, how come all
> our apache servers are constantly getting bothered by all those "GET
> ../winnt/system32/cmd.exe" nimbda requests? Actually, I wish the hackers
> *would* check the ServerToken, then we'd get more peace...

That isn't a hacker, it's a worm. The GET and HEADER requests could be a
hacker, seen less often.



>
> The ServerToken string provides useful statistical information for those
> who monitor the development of the web and it serves no purpose to
> obscure it. Switching it off is about as clever as painting out the word
> "Chubb" on your door-lock and exepcting to be safe from a lock-picking
> burglar.

You are certainly entitled to your opinion, even if it is flawed. :^)
Do as you wish Owen.

>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
> >-----Original Message-----
> >From: Tim Wort [mailto:tim@pobox.com]
> >Sent: Samstag, 12. April 2003 05:46
> >To: users@httpd.apache.org
> >Subject: Re: [users@httpd] Setup HTTP server
> >
> >
> >
> >As a matter of fact, I instruct security courses (Linux and
> >Sun), have for
> >some years. My comments were about the banner only, not options.  I
> >suppose you can dismiss the recomendations of groups like
> >Sans, Security
> >Focus, Sun Blueprints and others. Information linkage is often
> >listed and
> >one of the major security problems.
> >
> >When I instruct a course I never tell people that must do anything, I
> >recently had a student tell me ssh was to complex to use. I, of course,
> >do not agree but hey, it's his box, network, system, company. He can do
> >as he pleases.
> >
> >All security is a trade off.
> >
> >To each his own.
> >
> >On Fri, 11 Apr 2003, Joshua Slive wrote:
> >
> >>
> >> On Fri, 11 Apr 2003, Tim Wort wrote:
> >>
> >> > I have to disagree with you here Joshua, while I do agree
> >security by
> >> > obscurity is not in it's self good security it does help.
> >Many hackers
> >> > scan the net just to have databases of what server, OS ,
> >sendmail etc is
> >> > where so that when a new exploit comes around they can use
> >it against a
> >> > know group of systems.
> >> >
> >> > Most, if not all security classes include information
> >about hiding banners
> >> > for services like sendmail, hiding the apache version can
> >only help and I
> >> > see no downside. IMHO
> >>
> >> The fact that a security class includes something doesn't
> >necessarily mean
> >> it is good security.  These people need to find something to
> >teach you
> >> if they are going to charge big bucks ;-)
> >>
> >> I can't argue that these practices will never save you from anything.
> >> Certainly, there are some crackers out there who are too
> >lazy to try a
> >> hack on every IP address and too stupid to figure it out without the
> >> banner.  But these things are always a tradeoff.  For this
> >miniscule bit
> >> of security you lose:
> >>
> >> 1. Your time, that could be better spent working on real
> >security issues.
> >>
> >> 2. Functionality.  In the case of ServerTokens, you make it
> >more difficult
> >> for people to debug problems.  In the case of OPTIONS, you disable a
> >> feature that can be used by advanced web clients.
> >>
> >> For me, there is no question that the benefit of this hiding
> >is way too
> >> small to outweigh those costs.
> >>
> >> Of course, I'm not in any way a security expert, so you
> >should feel free
> >> to ignore what I say ;-)
> >>
> >> Joshua.
> >>
> >> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >>
> >
> >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >=        Inkling Research Inc.      =
> >=    Tim.Wort@InklingResearch.com   =
> >=        Tim.Wort@pobox.com         =
> >=                                   =
> >=        Eschew Obfuscation         =
> >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
> If you receive this message in error, please notify the sender urgently
> and then immediately delete the message and any copies of it from your
> system. Please also immediately destroy any hardcopies of the message.
> You must not, directly or indirectly, use, disclose, distribute, print,
> or copy any part of this message if you are not the intended recipient.
> The sender's company reserves the right to monitor all e-mail
> communications through their networks. Any views expressed in this
> message are those of the individual sender, except where the message
> states otherwise and the sender is authorised to state them to be the
> views of the sender's company.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=        Inkling Research Inc.      =
=    Tim.Wort@InklingResearch.com   =
=        Tim.Wort@pobox.com         =
=                                   =
=        Eschew Obfuscation         =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message