On 31/07/2006, at 2:34 PM, [EMAIL PROTECTED] wrote:
G'day
my customer has said:
----------------------------------------------------------------------
-----
When you have a minute can you please configure our apache server
error
pages to not list the webserver build and operating system as it is a
security risk.
For example if I go to www.edc.com.au/fred I get the following
information
Apache/2.0.53 (Linux/SUSE)
----------------------------------------------------------------------
-----
I can conceive if being a slight risk, in that 'don't bother with
all the
winders files.
Am I naive, is there a risk letting the world know WHAT os and web
server you
run?
I've noticed in recent months that certain security audit tools will
list this as a security risk, and as such customers are following the
recommendations from audits. So they are asking to have this stuff
disabled/removed from view.
I guess its not a bad idea to remove it, and at the end of the day
gives anyone looking less information about the system to work with.
How much a risk it is, thats anyones guess. But like I said, its one
less bit of information someone looking at the system remotely has to
work with.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
