The argument you are using is a general one, saying security doesn't
come from obscurity. While this is meaningful in a broad sense, in real
life scenarios obscurity often improves already existing security. The
problem is that all but a few mistake one for the other and that this
misunderstanding in turn leads to security problems.
The less information you reveal of a system, the more difficult it is to
mount attacks. This is true for script-kiddies and sophisticated hackers
alike so try to avoid leaving fingerprints if you can. Trying to blindly
exploit a found problem in an unknown application on an unknown platform
can be near impossible. Being able to deduce the OS, analyze the
application code, and replicate the system can make even a one-shot-only
attempt trivial.
Nothing will make your "sophisticated hackers" more happy than
discovering a non-standard open-source attack surface. In the absolute
majority of the cases these are not audited or mature, and will break
when you pick them apart. Not being able to fingerprint them makes it a
totally different problem.
I'm guessing you won't accept me saying this since you claim a greater
understanding in the matter than you should, so I'll just say this once
and then stay out of the discussion.
Kind regards,
Fredrik Widlund
Joshua Slive skrev:
On 1/24/07, Richard de Vries <[EMAIL PROTECTED]> wrote:
I have modsecurity running on my apache instances, and
I often see all kinds of IIS exploits hitting my box.
This then gives me time to look thru my various apache
and firewall logs, and take some corrective measures
like for instance slapping some IPTables rules on the
box to block that IP.
Have you looked at some of the previous threads on this topic? I'm
guessing no.
Have you ever investigated how many people who DO NOT hide their
apache Server identity also get hit by huge quantities of IIS attacks?
The number is close to 100% from my observations.
Here's the trick: There are basically two types of "crackers" you need
to worry about, script-kiddies, and sophisticated hackers. The first
type will try every possible exploit on every server they can find;
they rarely if ever bother to look at the Server header or anything
else. The latter type can easily figure out what kind of server
you're running very unobtrusively whether or not you display the
Server header. So in neither case will hiding the Server header buy
you anything at all.
Your argument seems to be that there may be a small number of crackers
in between those two groups that might be delayed by a few minutes if
you hide your Server header. I don't see any evidence that such
crackers actually exist. And even if they did, your time would be
much better spent worrying about real security issues than putting a
tiny roadblock in their way.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
