> > I'd go with the idea, Security through obscurity, Isn't such a bad idea, > > No, you are right, it isn't such a bad idea. It is a terrible idea.
On its own, yes it is. Coupled up with regular patching of security holes, monitoring of logs, a good IDS that is setup to mail/page you, correct configurations, and a good background on security, it is actually useful. > > I mean drop down all around the corner what exactly security is, the on > > going effort to keep away the *HARMFULS*, > > OK, I'll buy that definition. But how does StO keep *anyone* away? > Scripts don't care what the banner says. Red Alert doesn't care. Nimda > sure as hell doesn't. Which only goes to prove how you have skipped studying current trends. Don't take it personally, but any admin who does that, is a graver danger to his network, than the most skilled cracker. Heard of a couple of exploits for openssh ? And openssh is widely used. Ever heard of this little script called sshscan/sshdscan ? Go take a look at the source. *All* it does is scan for banners on port 22 over a given IP range, and dutifully reports the the IP addresses of servers with matching strings. And it is actually used by crackers as a tool to locate vulnerable servers, even if its purpose is stated to be the opposite. Guess what your little bit of laziness towards munging a few banners led to ? Viola! You have been compromised! Had you just removed at least the *version* part of the string, the sshdscan script would have been happy to ignore you. Dumb or not, this *was* the scipt most widely used in the example i quote. But thanks to your laziness, you have to now explain to the suits upstairs, as to how it was perfectly justified to let the cracker rm -rf your whole site, as well as maybe your mail server containing some critical mails that had never even been read, just because you don't believe in StO and won't use it even as an additional measure. And for god's sake, don't give me the old rote about keeping the servers patched. I do that, thank you. I have an IDS installed too. And a firewall. And that won't stop someone coming up with an exploit which has not even been announced. Again the example of ssh. If you had but, munged a few banners, in addition to everything else, you would have survived showing up as a potential target, in the script output. I will be very interested in hearing how you are going to explain away this one ? Agreed that many scripts don't use banners. Perhaps a lot for even the openssh exploit. But if even 40% of the scriptkiddies do use the one using banners, wouldn't reducing the number of attempts by 40% be a significant achievemnt ? Especially if it is a new exploit, for which no patch is available ? And what purpose *is* achieved by apache's announcing that it is version 1.2.20 ? Would a browser refuse to fetch the page, if that announce was not made by the http server ? You cannot ignore the fact, just for the sake of winning an arguement, that most of these crackers are not out to get you on a personal level and all they are looking for are a few easily exploitable hosts. And it helps to keep a low profile and not to announce the fact in big bold letters. > If I am a script kiddie using some exploit kit that I found, why would I > stop once Apache claims it is something else? Why not just try the known > exploits for every major webserver? It costs me nothing. Because most scripts coded for script kiddies tend to at least check the banner, lest the kiddie keeps trying an exploit meant for apache against IIS. Don't try to quote the nimda example.It is a worm. Worms don't crib back and criticise the coder. And I will still use the ssh example. > Bottom line: you will "stop" less than 0.5% of any attacks on your > webserver, automated or otherwise by having your webserver misrepresent > itself. You don't "stop" those attacks. You just avoid extra trouble and laying out an open invitation with a bottle of champagne for the crackers, at your doorstep, so as to speak. . If someone *is* going to try the exploit manually, and *are* going to do it banner or no banner, then you are toast either ways if you are running an unpatched server. But between you and me, if a simple 5 minutes of extra effort along with all the usual measures like patching, checking logs and a firewall, helps to convince half of those scriptkiddy crackers to go and play elsewhere... Why, I am happy to make the extra effort. Regards, D
