httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Dessent <br...@dessent.net>
Subject Re: [users@httpd] Stop Apache from reporting version number anywhere..
Date Mon, 26 Jan 2004 04:06:06 GMT
Taco Fleur wrote:

> I didn't think it would patch any security holes.
> 
> I don't agree with what you are saying, I believe displaying the webserver
> software and version is like giving someone my Bank name, account type and
> branch address, all they need to find out is what my PIN is.

It's giving them info that they will have regardless of whether you tell
them or not.  If you honestly think someone is going to probe your
server and see the 'Header:' string that doesn't contain a version
number, and then say "Well, so much for that, I guess he's not
vulnerable" then you are seriously deluding yourself.  When someone
wants to know if your server is vulnerable to an exploit, they try the
exploit.  They don't go by what version the server reports.  And if you
seriously think that the only way to identify the server software and
version is by looking at the 'Header:' field then you really need to
read up on the security field.

This is especially true in the age of packporting.  The redhat apache
version is still 2.0.40, but they've backported all of the serious flaws
from the current .48.  So if an attacker was scanning simply based on
version numbers they would have tons and tons of false positives for all
those Redhat systems out there.  In other words, attackers are not
fooled by what that header says.  Not displaying a version number is not
going to deter anyone.

Feel free to hide the version number if you really want to, but DON'T
delude yourself into thinking that it affords you some degree of
security.  If you have vulnerabilities you need to fix them, period. 
Changing the version string is not insurance against anything.

Brian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message