httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard de Vries <richard_devr...@yahoo.com>
Subject Re: [users@httpd] Removing or overwriting "Server" header field.
Date Wed, 24 Jan 2007 22:34:09 GMT
It may be a "tiny roadblock" as you put it, but it
doesn't cost anything, nor does it hurt anything. So
why wouldn't you do it? 

By its self it may not make a whole lot of difference,
but combine a lot of these "tiny roadblocks" together
and you'll have yourself a defense in depth strategy.
(http://en.wikipedia.org/wiki/Defense_in_depth). 

I do agree with you on your statement that real
securty issues need to be worried about first. But if
you have the time and resources to put up tiny
roadblocks like this in addition to the real security
concerns, why not!

But this particular mod_security directive aside ....
mod_security as an overall module is extremely
powerful  and can do much much more.

  R.

--- Joshua Slive <joshua@slive.ca> wrote:

> On 1/24/07, Richard de Vries
> <richard_devries@yahoo.com> wrote:
> 
> > I have modsecurity running on my apache instances,
> and
> > I often see all kinds of IIS exploits hitting my
> box.
> > This then gives me time to look thru my various
> apache
> > and firewall logs, and take some corrective
> measures
> > like for instance slapping some IPTables rules on
> the
> > box to block that IP.
> 
> Have you looked at some of the previous threads on
> this topic?  I'm guessing no.
> 
> Have you ever investigated how many people who DO
> NOT hide their
> apache Server identity also get hit by huge
> quantities of IIS attacks?
>  The number is close to 100% from my observations.
> 
> Here's the trick: There are basically two types of
> "crackers" you need
> to worry about, script-kiddies, and sophisticated
> hackers.  The first
> type will try every possible exploit on every server
> they can find;
> they rarely if ever bother to look at the Server
> header or anything
> else.  The latter type can easily figure out what
> kind of server
> you're running very unobtrusively whether or not you
> display the
> Server header.  So in neither case will hiding the
> Server header buy
> you anything at all.
> 
> Your argument seems to be that there may be a small
> number of crackers
> in between those two groups that might be delayed by
> a few minutes if
> you hide your Server header.  I don't see any
> evidence that such
> crackers actually exist.  And even if they did, your
> time would be
> much better spent worrying about real security
> issues than putting a
> tiny roadblock in their way.
> 
> Joshua.
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 
> 



 
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message