the absence of a number may encourage the person attacking to be more general in their approach. which increase server load etc. so if there is a version number, they may not bother.
but as has been pointed out, the reliability of the dist info is questionable as it can be faked. also, most attacked (on small sites) are usually just scripts which will unintelligently try everything and move on. on the *DOWN SIDE* of removing versions and dists, it may make assertaining the version harder for the administrator. which in turn may lul the client into a false sense of security in that with or without the version number present, the software will still be vulnerable to the same attacks. if you do do an audit, having the version numbers may (most likely will) uncover much larger (and indeed, serious) vulernabilities in dated software. Dean On Mon, July 31, 2006 2:41 pm, Michael Fox wrote: > On 31/07/2006, at 2:34 PM, [EMAIL PROTECTED] wrote: > >> G'day >> >> my customer has said: >> >> ---------------------------------------------------------------------- >> ----- >> When you have a minute can you please configure our apache server >> error >> pages to not list the webserver build and operating system as it is a >> security risk. >> >> For example if I go to www.edc.com.au/fred I get the following >> information >> >> Apache/2.0.53 (Linux/SUSE) >> ---------------------------------------------------------------------- >> ----- >> I can conceive if being a slight risk, in that 'don't bother with >> all the >> winders files. >> Am I naive, is there a risk letting the world know WHAT os and web >> server you >> run? > > > I've noticed in recent months that certain security audit tools will > list this as a security risk, and as such customers are following the > recommendations from audits. So they are asking to have this stuff > disabled/removed from view. > > I guess its not a bad idea to remove it, and at the end of the day > gives anyone looking less information about the system to work with. > How much a risk it is, thats anyones guess. But like I said, its one > less bit of information someone looking at the system remotely has to > work with. > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
