httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rafael Faura" <rfa...@bassy.net>
Subject RE: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80 - the old ServerSignature debate...
Date Tue, 18 Nov 2003 09:47:43 GMT


There are lots of novice users reading this list which is why your
erroneous opinion has to be challenged. It is important that new apache
admins learn good security habits and foremost among those is keeping
the OS and software up-to-date. If you do that, your ServerSignature is
as much use to a hacker as your IP address. If you convince new users
that obscuring the ServerSignature somehow improves security, they will
waste time on this fool's errand and, even worse, may delay or ignore
upgrades because they think they're safe. 

You can do what you like with your ServerSignature (that's why the
directive exists) but don't think it improves security. If you run a
vulnerable version, you can hide but you will get hacked. If you stay on
the crest of the version wave then you will be secure and it doesn't
matter who knows what version you're using. Obscuring the
ServerSignature is like covering up the word "Chubb" on a padlock and
thinking this makes it harder to pick.

-----------------

Of course. I said that serversignature and servertokens are ONE of the ways
to improve security (maybe an insignificant improve) and not the ONLY one
way to do it. Your scenario is a bit.. mmm, non-sense, none good admin will
say that, lol.

"If you run a vulnerable version you'll be hacked", ok, but you'll be hacked
faster if you shows to everybody your version, right? (at least let that
hackers waste their time trying to figure which apache version are you using
and checking every apache bug/exploit from the first 1.x.xx & 2.x.xx
version, hehe >:)). Anyway, the first post of this series was related with a
user that wants to hide it's apache version from server error pages... Of
course he was asking only that, he didn't ask: "hey, i want to completely
secure and protect my Apache server!!!", that's another story ;).

Btw, changing TWO words on httpd.conf ('prod' and 'off' don't seem to me a
enormous waste of time) and i don't think that somebody will ignore an
important apache upgrade by the fact that they changed serversignature or
servertokens ... 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message