httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Trainor <d...@cavecreek.net>
Subject Re: [users@httpd] Stop Apache from reporting version number anywhere..
Date Mon, 26 Jan 2004 04:44:10 GMT
It's been our experience that the attack will happen regardless of 
software version.  Most attacks now are automated, by bots, doing sweep 
on subnets and such.  It's rare anymore, in terms of numbers, to find 
one single guy trying to take out one single site.  

Go ahead and give them your "bank name and account number".  If you 
don't want them to have that, hop off the internet.  You have to realize 
that they've already "got it".  Numbers will show you that it was done 
in an automated process. 

I would imagine that this would also throw off some sort of red flag for 
the attacker or attack process.  I know I'd be curious if I diddn't get 
back a version when I expected to see one.

-dant


Taco Fleur wrote:

>I don't think you understand one bit - I am not deluding myself and thinking
>it will give me security, what I do know is that I am not handing any info
>that will help them...
>
>You hand them all the info you want, I'll try and hand as less possible info
>as I can, everyone happy.
>
>Taco Fleur
>Blog http://www.tacofleur.com/index/blog/
>Methodology http://www.tacofleur.com/index/methodology/
>0421 851 786
>Tell me and I will forget
>Show me and I will remember
>Teach me and I will learn 
>
>
>  
>
>>-----Original Message-----
>>From: Brian Dessent [mailto:brian@dessent.net] 
>>Sent: Monday, 26 January 2004 2:06 PM
>>To: users@httpd.apache.org
>>Subject: Re: [users@httpd] Stop Apache from reporting version 
>>number anywhere..
>>
>>
>>Taco Fleur wrote:
>>
>>    
>>
>>>I didn't think it would patch any security holes.
>>>
>>>I don't agree with what you are saying, I believe displaying the 
>>>webserver software and version is like giving someone my Bank name, 
>>>account type and branch address, all they need to find out 
>>>      
>>>
>>is what my 
>>    
>>
>>>PIN is.
>>>      
>>>
>>It's giving them info that they will have regardless of 
>>whether you tell them or not.  If you honestly think someone 
>>is going to probe your server and see the 'Header:' string 
>>that doesn't contain a version number, and then say "Well, so 
>>much for that, I guess he's not vulnerable" then you are 
>>seriously deluding yourself.  When someone wants to know if 
>>your server is vulnerable to an exploit, they try the 
>>exploit.  They don't go by what version the server reports.  
>>And if you seriously think that the only way to identify the 
>>server software and version is by looking at the 'Header:' 
>>field then you really need to read up on the security field.
>>
>>This is especially true in the age of packporting.  The 
>>redhat apache version is still 2.0.40, but they've backported 
>>all of the serious flaws from the current .48.  So if an 
>>attacker was scanning simply based on version numbers they 
>>would have tons and tons of false positives for all those 
>>Redhat systems out there.  In other words, attackers are not 
>>fooled by what that header says.  Not displaying a version 
>>number is not going to deter anyone.
>>
>>Feel free to hide the version number if you really want to, 
>>but DON'T delude yourself into thinking that it affords you 
>>some degree of security.  If you have vulnerabilities you 
>>need to fix them, period. 
>>Changing the version string is not insurance against anything.
>>
>>Brian
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP 
>>Server Project. See 
>><URL:http://httpd.apache.org/userslist.html> for more info. 
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>  
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message