httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Is it more secure to only return 200 and 404 error codes?
Date Tue, 13 Jun 2006 14:10:49 GMT
On 6/13/06, Robert Hulme <robert.hulme@gmail.com> wrote:
> The suggestion has been made to me that it is more secure to configure
> Apache to only return 200 and 404 error codes (or something similar)
> so that situations that would return any other 4xx or 5xx code will
> return 404 codes.
>
> The reasoning given for this is that it limits the amount of
> information available to a cracker about what is available from the
> webroot / how Apache is configured.
>
> This doesn't seem to be a good idea to me as it seems that it would
> violate the principle of returning appropriate error codes as defined
> in RFC 2616.
>
> I am really interested in the opinion of other Apache users /
> developers though - as I need to have a robust case for action
> whichever direction turns out to be the best.
>
> I have also been told that it is 'more secure' to hide the Apache
> version number in error reports / etc. This also sounds like 'security
> by obscurity' to me but again I would really appreciate any robust
> comments from you guys.

It is also more secure to unplug your network cable.  But it won't get
you very far.

My response to suggestions like this is that you don't do much good
because there are basically two types of crackers to worry about:
1) Stupid script kiddies and worms who don't care what your server
returns; they just try every possible exploit on every possible
server; and
2) Smart hackers who can easily figure out your version of apache and
the structure of your site regardless of what options you turn off.

And I don't buy the argument that it doesn't cost anything.  It costs
your time to make these silly config changes when you could be
worrying about real security issues.  And it costs your time again
when you can't get proper debugging information from the server
because you've turned off all the useful feedback.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message