Ken Murchison wrote:
Sascha Wuestemann wrote:
Hi,
when sending email over cyrus imap, it gives full information about
version. So, an attacker has just to telnet at port 25 to see if his
bunch of exploits fits to it.
That is a dangerous and I would like to suppress all version
information, even that it is cyrus answering, if possible.
Security by obscurity never works. Do you really think an attacker
would be deterred by the version number that he sees? He'll probably
try his attack regardless of the version reported.
I wouldn't go so far as to say that it NEVER works. It's not an
uncommon practice to remove version information from banners for this
reason. Certainly a determined attacker might use any tools at her
disposal regardless of whether she knows what version you're running,
but anything you can do to make it less easy for an attacker, such as
removing version information, is worthwhile. It's like a burglar alarm;
it doesn't *prevent* an intruder, but it might make the unalarmed house
next door a more appealing target.
Mike Nuss
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
