Then why pray tell is OS finger printing so important to a cracker? Why
are the major vendors beefing up issues such as tcp sequence number
prediction and obscuring their OS's from easy OS type determination? Even
the DNS/Bind folks have added the ability to their deamon to hide it's
verson and such from outside connects.
While I agree that security merely through obscurity is not the way to go,
enhancing ones security via obscuring as much data does not really hurt
and most likely helps in locking the ship down tight.
If I can ping and connect to a few services and find yer running HP-UX
with some non-flame retardant deamon, then I know that if I can crack one
minor account, since you have no shadow password system I can get all the
keys to the house by cracking yer passwrd file, I've gained alot of info
already, yes?
Thanks,
Ron DuFresne
On Mon, 7 May 2001, Owen Boyle wrote:
> Deocs Postmaster wrote:
> >
> > At 07:54 AM 05/07/2001 , you wrote:
> > >Deocs Postmaster wrote:
> > > > From telnet HEAD / HTTP/1.0 returns the type of server,
> > > > installed modules, and other information.
> > >
> > > > Why is this information so openly disclosed, and is
> > > > there an easy way to disable or modify it?
> > >
> > >Do you think hiding your apache version number will save you from
> > >hackers? Security through obscurity is no security. A typical hack
> > >program looks like this:
> > >
> > >foreach (@list_of_hosts_to_hack) {
> > > my $version = get_apache_version_number($_);
> > >
> > > if (defined($version)) {
> > > do_fiendish_hack($_);
> > > }
> > > else {
> > >
> > > # Drat! hackee has hidden version number!
> > >
> > > do_fiendish_hack_anyway($_);
> > > }
> > >}
> > >
> > >If you really want to hide it, use the ServerTokens directive.
> >
> > It appears the current default is that the server disclose this information.
>
> Correct. Why shouldn't it?
>
> I understand your feeling that we should not hand out things on a plate
> to hackers but if you reflect on it, a sys-admin's job is not to make
> hacking a little bit more difficult, it is to make hacking impossible.
>
> Your security should rely on a firewall, well-installed utilities and a
> robust OS - not on no-one guessing your server type, OS and whether or
> not you have a few commonly-used modules installed. Your system should
> be so secure that even if a hacker is in possession of your full server
> spec he still can't get in.
>
> Put it another way, if you build a burglar-proof wall around your house
> that no-one can get through - does it matter if you publish your address
> and even tell them what the bricks are made of?
>
> Rgds,
> Owen Boyle.
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
