httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Taco Fleur" <tacofl...@nella.net.au>
Subject RE: [users@httpd] Stop Apache from reporting version number anywhere..
Date Mon, 26 Jan 2004 04:12:13 GMT
I don't think you understand one bit - I am not deluding myself and thinking
it will give me security, what I do know is that I am not handing any info
that will help them...

You hand them all the info you want, I'll try and hand as less possible info
as I can, everyone happy.

Taco Fleur
Blog http://www.tacofleur.com/index/blog/
Methodology http://www.tacofleur.com/index/methodology/
0421 851 786
Tell me and I will forget
Show me and I will remember
Teach me and I will learn 


> -----Original Message-----
> From: Brian Dessent [mailto:brian@dessent.net] 
> Sent: Monday, 26 January 2004 2:06 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Stop Apache from reporting version 
> number anywhere..
> 
> 
> Taco Fleur wrote:
> 
> > I didn't think it would patch any security holes.
> > 
> > I don't agree with what you are saying, I believe displaying the 
> > webserver software and version is like giving someone my Bank name, 
> > account type and branch address, all they need to find out 
> is what my 
> > PIN is.
> 
> It's giving them info that they will have regardless of 
> whether you tell them or not.  If you honestly think someone 
> is going to probe your server and see the 'Header:' string 
> that doesn't contain a version number, and then say "Well, so 
> much for that, I guess he's not vulnerable" then you are 
> seriously deluding yourself.  When someone wants to know if 
> your server is vulnerable to an exploit, they try the 
> exploit.  They don't go by what version the server reports.  
> And if you seriously think that the only way to identify the 
> server software and version is by looking at the 'Header:' 
> field then you really need to read up on the security field.
> 
> This is especially true in the age of packporting.  The 
> redhat apache version is still 2.0.40, but they've backported 
> all of the serious flaws from the current .48.  So if an 
> attacker was scanning simply based on version numbers they 
> would have tons and tons of false positives for all those 
> Redhat systems out there.  In other words, attackers are not 
> fooled by what that header says.  Not displaying a version 
> number is not going to deter anyone.
> 
> Feel free to hide the version number if you really want to, 
> but DON'T delude yourself into thinking that it affords you 
> some degree of security.  If you have vulnerabilities you 
> need to fix them, period. 
> Changing the version string is not insurance against anything.
> 
> Brian
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project. See 
> <URL:http://httpd.apache.org/userslist.html> for more info. 
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message