httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Setup HTTP server
Date Sat, 12 Apr 2003 03:21:31 GMT

On Fri, 11 Apr 2003, Tim Wort wrote:

> I have to disagree with you here Joshua, while I do agree security by
> obscurity is not in it's self good security it does help. Many hackers
> scan the net just to have databases of what server, OS , sendmail etc is
> where so that when a new exploit comes around they can use it against a
> know group of systems.
>
> Most, if not all security classes include information about hiding banners
> for services like sendmail, hiding the apache version can only help and I
> see no downside. IMHO

The fact that a security class includes something doesn't necessarily mean
it is good security.  These people need to find something to teach you
if they are going to charge big bucks ;-)

I can't argue that these practices will never save you from anything.
Certainly, there are some crackers out there who are too lazy to try a
hack on every IP address and too stupid to figure it out without the
banner.  But these things are always a tradeoff.  For this miniscule bit
of security you lose:

1. Your time, that could be better spent working on real security issues.

2. Functionality.  In the case of ServerTokens, you make it more difficult
for people to debug problems.  In the case of OPTIONS, you disable a
feature that can be used by advanced web clients.

For me, there is no question that the benefit of this hiding is way too
small to outweigh those costs.

Of course, I'm not in any way a security expert, so you should feel free
to ignore what I say ;-)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message