httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Stop Apache from reporting version number anywhere..
Date Mon, 26 Jan 2004 10:00:23 GMT
> -----Original Message-----
> From: Taco Fleur [mailto:tacofleur@nella.net.au] 
> 
> What are other peoples thoughts on this?

This question scomes up every couple of months or so and always
polarises the congregation. There are two sides to the argument:

- The "token hiders" get a fright when they realise that their server is
broadcasting something like: "Apache/1.3.29 (Unix) mod_ssl/2.8.16
OpenSSL/0.9.7c mod_perl/1.29" to the world. They think, "What if there's
a exploit in one of these versions that I don't know about? A hacker
could scan the web, looking for exactly this signature and then home in
one me!". It's a reasonable fear... but one which I think is unfounded
(read on).

- The "token senders" have known all about the server signature thing
for a long time and understand its purpose, which is to help the
internet remain a "community". When you advertise your server signature,
you allow people like the W3C, ICAN etc to collect statistics on who's
using what servers and at what version. This is useful information and
helps the web to evolve.

It has to be said that the Hiders are mainly new web admins while the
Senders are largely seasoned old salts - some of whom even remember the
internet from when you could use telnet, en clair, across the planet! So
why aren't the Senders afraid of releasing their server signature? A few
reasons:

- It is not at all useful to a hacker. If there is an exploit available
on your version, you should upgrade immediately. Hiding the version
won't protect you. If you have the latest versions, you will be safe (in
the apache community, upgrades are always one step ahead of the exploits
- that is one reason to choose apache over any other server). The
comparison with a bank account is overstating the case, but even if a
crook knows your bank account number, he can't do anything with it - he
can't withdraw cash without physically obtaining your card and can't do
anything in the branch without ID. Simply knowing a bank account number
is useless - I know the bank account number of my telephone company
(that's how I pay my bills), but I can't rob their account. Actually,
hiding the server signature is more like covering up the manufacturer's
name on a padlock. Does that make it harder to pick?

- Hackers do not filter the servers before attacking. If they did, how
come your log is full of code red and nimbda requests which only have a
chance of working with IIS? Even if they did, the sensible thing for
them to do would be to exclude only those servers with up-to-date
versions. In other words, you could protect yourself better if you *do*
publish the version, but lie about it and pretend your up-to-date!

The main reason for having this debate is to instill into novice
webmasters that the most important thing about security is to keep up to
date with upgrades and patches of the server and the OS. Chasing around
hiding signatures might make you feel good, but is a waste of time as
far as real security goes.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 
  


> 
> I personally reckon, that those who use automated tools are 
> script kiddies,
> i.e. not real crackers - I believe real Crackers will want to 
> stay under the
> radar and therefore perform aimed attacks instead of flooding 
> the server
> with requests that might disclose a security hole. For those aimed and
> controlled attacks they first require as much info about you 
> as possible.
> 
> But as you say I also see the flipside to it, and when not 
> returning any of
> this info people get curious, but still, I reckon only 
> curious enough if
> they know what they can expect on the other-side, i.e. a bank.
> 
> My 2cents
> 
> > -----Original Message-----
> > From: Dan Trainor [mailto:dant@cavecreek.net] 
> > Sent: Monday, 26 January 2004 2:44 PM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Stop Apache from reporting version 
> > number anywhere..
> > 
> > 
> > It's been our experience that the attack will happen regardless of 
> > software version.  Most attacks now are automated, by bots, 
> > doing sweep 
> > on subnets and such.  It's rare anymore, in terms of 
> numbers, to find 
> > one single guy trying to take out one single site.  
> > 
> > Go ahead and give them your "bank name and account number".  If you 
> > don't want them to have that, hop off the internet.  You have 
> > to realize 
> > that they've already "got it".  Numbers will show you that it 
> > was done 
> > in an automated process. 
> > 
> > I would imagine that this would also throw off some sort of 
> > red flag for 
> > the attacker or attack process.  I know I'd be curious if I 
> > diddn't get 
> > back a version when I expected to see one.
> > 
> > -dant
> > 
> > 
> > Taco Fleur wrote:
> > 
> > >I don't think you understand one bit - I am not deluding 
> myself and 
> > >thinking it will give me security, what I do know is that I am not 
> > >handing any info that will help them...
> > >
> > >You hand them all the info you want, I'll try and hand as 
> > less possible 
> > >info as I can, everyone happy.
> > >
> > >Taco Fleur
> > >Blog http://www.tacofleur.com/index/blog/
> > >Methodology http://www.tacofleur.com/index/methodology/
> > >0421 851 786
> > >Tell me and I will forget
> > >Show me and I will remember
> > >Teach me and I will learn
> > >
> > >
> > >  
> > >
> > >>-----Original Message-----
> > >>From: Brian Dessent [mailto:brian@dessent.net]
> > >>Sent: Monday, 26 January 2004 2:06 PM
> > >>To: users@httpd.apache.org
> > >>Subject: Re: [users@httpd] Stop Apache from reporting version 
> > >>number anywhere..
> > >>
> > >>
> > >>Taco Fleur wrote:
> > >>
> > >>    
> > >>
> > >>>I didn't think it would patch any security holes.
> > >>>
> > >>>I don't agree with what you are saying, I believe displaying the
> > >>>webserver software and version is like giving someone my 
> > Bank name, 
> > >>>account type and branch address, all they need to find out 
> > >>>      
> > >>>
> > >>is what my
> > >>    
> > >>
> > >>>PIN is.
> > >>>      
> > >>>
> > >>It's giving them info that they will have regardless of
> > >>whether you tell them or not.  If you honestly think someone 
> > >>is going to probe your server and see the 'Header:' string 
> > >>that doesn't contain a version number, and then say "Well, so 
> > >>much for that, I guess he's not vulnerable" then you are 
> > >>seriously deluding yourself.  When someone wants to know if 
> > >>your server is vulnerable to an exploit, they try the 
> > >>exploit.  They don't go by what version the server reports.  
> > >>And if you seriously think that the only way to identify the 
> > >>server software and version is by looking at the 'Header:' 
> > >>field then you really need to read up on the security field.
> > >>
> > >>This is especially true in the age of packporting.  The
> > >>redhat apache version is still 2.0.40, but they've backported 
> > >>all of the serious flaws from the current .48.  So if an 
> > >>attacker was scanning simply based on version numbers they 
> > >>would have tons and tons of false positives for all those 
> > >>Redhat systems out there.  In other words, attackers are not 
> > >>fooled by what that header says.  Not displaying a version 
> > >>number is not going to deter anyone.
> > >>
> > >>Feel free to hide the version number if you really want to,
> > >>but DON'T delude yourself into thinking that it affords you 
> > >>some degree of security.  If you have vulnerabilities you 
> > >>need to fix them, period. 
> > >>Changing the version string is not insurance against anything.
> > >>
> > >>Brian
> > >>
> > >>------------------------------------------------------------
> > ---------
> > >>The official User-To-User support forum of the Apache HTTP
> > >>Server Project. See 
> > >><URL:http://httpd.apache.org/userslist.html> for more info. 
> > >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >>    
> > >>
> > >
> > >
> > 
> >---------------------------------------------------------------------
> > >The official User-To-User support forum of the Apache HTTP Server 
> > >Project. See <URL:http://httpd.apache.org/userslist.html> for more 
> > >info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > >For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> > >
> > >  
> > >
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> > Server Project. See 
> > <URL:http://httpd.apache.org/userslist.html> for more info. 
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message