* On Tue, Jan 13, 2004 at 02:25:36PM +0000, Ivan Ristic wrote: > Because I believe that changing the signature prevents some > automated tools from attacking the server.
This is a valid point. > I recently changed the signature of the Apache running on > modsecurity.org (to pretend to be IIS5). As a result, I've started > getting more IIS-related attacks than before. So, the signature > does matter. Exactly. In an enterprise where I am responsible for 1000+ web servers, we ran metrics to see the ratios in which servers' signatures were "examined". Not to be anti-IIS or anything, but the scans against IIS outweighed the Apache scans in the range of 8:1, or somewhere in those lines. I also would like to say that the majority of those (Apache) metrics exhibited more "examinations" which were specific to code vulnerabilities, not server-specific vulnerabilities. To close, I don't think adding any type of directive to falsify SERVER_SOFTWARE would be of any benefit, except to add a false sense of security. -- Chip Cuccio | chipster[at]norlug[.]org NORLUG VP and Sysadmin | <http://norlug.org/~chipster/> Northfield Linux Users' Group | Northfield, Minnesota USA
