Re: hide server-version at connect?
I suppose the assumption is that any client needs the server version to figure out the compatible set of capabilities, as there is no separate protocol versioning afaik. I suppose you could change the version in the source to the lowest that has the full featureset you need. -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: hide server-version at connect?
Am 10.01.2012 12:44, schrieb Johan De Meersman: I suppose the assumption is that any client needs the server version to figure out the compatible set of capabilities, as there is no separate protocol versioning afaik. sure? what's the binary between version and mysql_native_password? 5.5.19-log�voI^}{rL��a'9,l]o7_\1}mysql_native_password I suppose you could change the version in the source to the lowest that has the full featureset you need. hmm - all servers/clients are Fedora with the same versions :-) mysql 5.5 would be enough i guess, but how to create a patch for rpmbuild which must not be permanently changed for every mysql update signature.asc Description: OpenPGP digital signature
Re: hide server-version at connect?
- Original Message - From: Reindl Harald h.rei...@thelounge.net sure? what's the binary between version and mysql_native_password? No idea, I never bothered to look at the raw protocol :-) mysql 5.5 would be enough i guess, but how to create a patch for rpmbuild which must not be permanently changed for every mysql update I wouldn't think that bit of the code changes a lot between versions, really. Still, do you really think exposing that is such a risk? Do you have servers exposed to the net? -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: hide server-version at connect?
Am 10.01.2012 13:29, schrieb Johan De Meersman: - Original Message - From: Reindl Harald h.rei...@thelounge.net sure? what's the binary between version and mysql_native_password? No idea, I never bothered to look at the raw protocol :-) me too :-) mysql 5.5 would be enough i guess, but how to create a patch for rpmbuild which must not be permanently changed for every mysql update I wouldn't think that bit of the code changes a lot between versions i will look really. Still, do you really think exposing that is such a risk? Do you have servers exposed to the net? currently i am scanning all servers from a OpenVAS-Appliance and my primary target is get away all information disclosures samba is the next in the list blwoing out even build-number *grr* all or nothing :-) signature.asc Description: OpenPGP digital signature
Re: hide server-version at connect?
Security through obscurity? If none of your MySQL (or samba) servers are open to untrusted networks, why do you need to hide this information. Sent from my iPad On Jan 10, 2012, at 6:35 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 10.01.2012 13:29, schrieb Johan De Meersman: - Original Message - From: Reindl Harald h.rei...@thelounge.net sure? what's the binary between version and mysql_native_password? No idea, I never bothered to look at the raw protocol :-) me too :-) mysql 5.5 would be enough i guess, but how to create a patch for rpmbuild which must not be permanently changed for every mysql update I wouldn't think that bit of the code changes a lot between versions i will look really. Still, do you really think exposing that is such a risk? Do you have servers exposed to the net? currently i am scanning all servers from a OpenVAS-Appliance and my primary target is get away all information disclosures samba is the next in the list blwoing out even build-number *grr* all or nothing :-) -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: hide server-version at connect?
- Original Message - From: Johnny Withers joh...@pixelated.net Security through obscurity? That sentence has been overused way too much. If you want to remove all obscurity from your security, just publish your passwords and private keys. If none of your MySQL (or samba) servers are open to untrusted networks, why do you need to hide this information. Because even on a trusted network you can have untrusted agents. Think malcontent employees, viruses, et cetera. Security comes in layers, the more the better - although I do agree that this particular layer is not the first priority. -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: hide server-version at connect?
On 10/01/12 15:41, Chris Tate-Davies wrote: On 10/01/12 13:34, Johan De Meersman wrote: - Original Message - From: Johnny Withersjoh...@pixelated.net Security through obscurity? That sentence has been overused way too much. If you want to remove all obscurity from your security, just publish your passwords and private keys. If none of your MySQL (or samba) servers are open to untrusted networks, why do you need to hide this information. Because even on a trusted network you can have untrusted agents. Think malcontent employees, viruses, et cetera. Security comes in layers, the more the better - although I do agree that this particular layer is not the first priority. Indeed, have a read of http://en.wikipedia.org/wiki/Defence_in_depth Sorry, wrong link, this is the right one: http://en.wikipedia.org/wiki/Defense_in_depth_(computing) http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29 - Registered Office: 15 Stukeley Street, London WC2B 5LT, England. Registered in England number 1421223 This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Please note that the information provided in this e-mail is in any case not legally binding; all committing statements require legally binding signatures. http://www.inflightproductions.com
Re: hide server-version at connect?
On 10/01/12 13:34, Johan De Meersman wrote: - Original Message - From: Johnny Withersjoh...@pixelated.net Security through obscurity? That sentence has been overused way too much. If you want to remove all obscurity from your security, just publish your passwords and private keys. If none of your MySQL (or samba) servers are open to untrusted networks, why do you need to hide this information. Because even on a trusted network you can have untrusted agents. Think malcontent employees, viruses, et cetera. Security comes in layers, the more the better - although I do agree that this particular layer is not the first priority. Indeed, have a read of http://en.wikipedia.org/wiki/Defence_in_depth *Chris Tate-Davies* *Software Development* Inflight Productions Ltd Telephone: 01295 269 680 15 Stukeley Street | London | WC2B 5LT *Email:*chris.tatedav...@inflightproductions.com mailto:chris.tatedav...@inflightproductions.com *Web:*www.inflightproductions.com http://www.inflightproductions.com/ - Registered Office: 15 Stukeley Street, London WC2B 5LT, England. Registered in England number 1421223 This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Please note that the information provided in this e-mail is in any case not legally binding; all committing statements require legally binding signatures. http://www.inflightproductions.com
Re: hide server-version at connect?
On Jan 9, 2012, at 7:27 PM, Reindl Harald wrote: Nessus/OpenVAS Test detects the exact server version _ NVT: MySQL Detection (OID: 1.3.6.1.4.1.25623.1.0.100152) Overview: MySQL, a open source database system is running at this host. MySQL Version '5.5.19-log' was detected on the remote host. _ is there any way to not disclosure the mysqld-version for a anonymous connected client? For the case you give below, no authentication has yet taken place, so you don't know whether the client is anonymous or not. But the version is needed for proper client-server negotiation to take place, I believe. Even if that were not true, any client, anonymous or not, can use SELECT @@version or SELECT VERSION() to get the version. [harry@srv-rhsoft:~]$ telnet localhost 3306 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. N 5.5.19-logs+%b?QYO]g��ke8'Xg~e\}!(mysql_native_password -- Paul DuBois Oracle Corporation / MySQL Documentation Team Madison, Wisconsin, USA www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql