httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Dessent <br...@dessent.net>
Subject Re: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80 - the old ServerSignature debate...
Date Tue, 18 Nov 2003 11:52:58 GMT
Rafael Faura wrote:

> way to do it. Your scenario is a bit.. mmm, non-sense, none good admin will
> say that, lol.

Uhhh, what?  Your view is definitely in the minority of clueful
administrators if you ask me.  See also "security by obscurity."

> "If you run a vulnerable version you'll be hacked", ok, but you'll be hacked
> faster if you shows to everybody your version, right? (at least let that

If something's listening on port 80, it's eventually going to have a
test-exploit sent to it, regardless of what it's reporting to the
world.  And these days with backporting being common, the reported
version is of little use to the attacker anyway.  "This server says
2.0.40, is this an ancient unpatched version of Apache, or has this guy
been running his Redhat up2date?  I don't know, guess I'll just have to
test every server on port 80 I come upon."

> version, hehe >:)). Anyway, the first post of this series was related with a
> user that wants to hide it's apache version from server error pages... Of
> course he was asking only that, he didn't ask: "hey, i want to completely
> secure and protect my Apache server!!!", that's another story ;).

Yes, his request was very simple and easy to fill.  It was the unwritten
implication that this was under the guise of security that caused the
repliers to mention this fact, that it has no benefit.  That it went
challenged just goes to show that it's a common misconception and thus
the responses in this thread have served a useful purpose.

> Btw, changing TWO words on httpd.conf ('prod' and 'off' don't seem to me a
> enormous waste of time) and i don't think that somebody will ignore an
> important apache upgrade by the fact that they changed serversignature or
> servertokens ...

Sure it's easy to do.  So would be me taping a sign to my front door
that read "There is no TV in this house."  Do you think that would have
any affect on a burglar's likelyhood to leave, having come upon my house
in search of a TV to steal?  Especially if he noticed that indeed there
was a TV when he glanced in the window earlier...

Brian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message