Re: fingerprinting BIND 9.1.0
In message [EMAIL PROTECTED], Hendy * writes: On Wed, Jan 31, 2001 at 02:13:07PM -0500, Lucas Holt wrote: Hiding a version number does not someone who knows what they are doing, but it does stop script kiddies out there. If a 14 year old kid can not figure ou t what they are dealing with, they will move on to easier targets. agreed, but it won't just stop kiddies, but more important, massowns, which take place e.g. to build up distributed flood networks, won't attack your host, if you changed the version string. on the other hand, a changed version string could also ''attract'' hackers, who want to break into that host. i am pretty sure bind fingerprinting tools will shop up when people will remove/change their named's version strings. Changing the version string on a 8.2.3 or 9.1.0 server to report 4.9.5 would be a better solution. Script kiddies and more experienced crackers will attempt BIND4 exploits on your BIND8 or 9 server and confuse them for a while. Hopefully by then you would have noticed the activity. Automated notification to one's pager will help. Regards, Phone: (250)387-8437 Cy SchubertFax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: [EMAIL PROTECTED] Open Systems Group, ITSD, ISTA Province of BC
Re: fingerprinting BIND 9.1.0
Hiding a version number does not someone who knows what they are doing, but it does stop script kiddies out there. If a 14 year old kid can not figure out what they are dealing with, they will move on to easier targets. "William D. Colburn (aka Schlake)" wrote: The FAQ file that comes with the distribution already covers all this. While it used to seem like a good idea to obfuscate version numbers, things like nmap can be written for just about any internet service which would make version obfuscation just a false sense of security. Even if your version is obscured, a known exploit will still work against it if someone tries. I agree with the BIND people that there isn't much point in hiding that information. -- Lucas Holt [EMAIL PROTECTED] ___ http://www.foolishgames.com "The Macintosh software might have become the successor to MS-DOS. OS/2 or UNIX might have. As it happened, MS-DOS was succeeded by Windows..." --Bill Gates, The Road Ahead If Windows never happened, what would be on your desktop?
Re: fingerprinting BIND 9.1.0
On Wed, Jan 31, 2001 at 02:13:07PM -0500, Lucas Holt wrote: Hiding a version number does not someone who knows what they are doing, but it does stop script kiddies out there. If a 14 year old kid can not figure out what they are dealing with, they will move on to easier targets. agreed, but it won't just stop kiddies, but more important, massowns, which take place e.g. to build up distributed flood networks, won't attack your host, if you changed the version string. on the other hand, a changed version string could also ''attract'' hackers, who want to break into that host. i am pretty sure bind fingerprinting tools will shop up when people will remove/change their named's version strings. take care, -hendy -- .,!.. _ ___ ___ __ _ . ,j't. [EMAIL PROTECTED] [TESO] or [EMAIL PROTECTED] [HOME] K=-=:: -=- fax vbox: +49-2561-959-55697 gsm/sms: [EMAIL PROTECTED] "=i.: [-'PGP: ``finger [EMAIL PROTECTED]''[www.team-teso.net/hendy] /;:":.\ PGP Fprint: 5AAE 5111 2C39 5E86 9D45 70C3 CA8F 0C20 EF27 264A . ;}' '(, . _ ___ . :wq!
Re: fingerprinting BIND 9.1.0
On Wed, 31 Jan 2001 08:15:01 -0700 "William D. Colburn (aka Schlake)" [EMAIL PROTECTED] wrote: The FAQ file that comes with the distribution already covers all this. While it used to seem like a good idea to obfuscate version numbers, things like nmap can be written for just about any internet service which would make version obfuscation just a false sense of security. Even if your version is obscured, a known exploit will still work against it if someone tries. I agree with the BIND people that there isn't much point in hiding that information. Me too. Obfuscated version numbers also make internal auditing much more difficult. I see many automated attacks (particularly against ftp) which make no effort to work out which software is running and what hardware it is running on. Kiddies don't look and professionals won't be fooled, you will only fool a few in the middle. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Re: fingerprinting BIND 9.1.0
The FAQ file that comes with the distribution already covers all this.
While it used to seem like a good idea to obfuscate version numbers,
things like nmap can be written for just about any internet service
which would make version obfuscation just a false sense of security.
Even if your version is obscured, a known exploit will still work
against it if someone tries. I agree with the BIND people that there
isn't much point in hiding that information.
FAQQ: How do I restrict people from looking up the server version?
FAQ
FAQA: Put a "version" option containing something other than the real
FAQversion in the "options" section of named.conf. Note doing this will
FAQnot prevent attacks and may impede people trying to diagnose problems
FAQwith your server. Also it is possible to "fingerprint" nameservers to
FAQdetermine their version.
FAQ
FAQQ: How do I restrict only remote users from looking up the server
FAQversion?
FAQ
FAQA: The following view statement will intercept lookups as the internal
FAQview that holds the version information will be matched last. The
FAQcaveats of the previous answer still apply, of course.
FAQ
FAQ view "chaos" chaos {
FAQ match-clients { those to be refused; };
FAQ allow-query { none; };
FAQ zone "." {
FAQ type hint;
FAQ file "/dev/null"; // or any empty file
FAQ };
FAQ };
On Tue, Jan 30, 2001 at 07:14:20PM -0600, [EMAIL PROTECTED] wrote:
Date: Tue, 30 Jan 2001 19:14:20 -0600
From: [EMAIL PROTECTED]
Subject: Re: fingerprinting BIND 9.1.0
To: [EMAIL PROTECTED]
In message [EMAIL PROTECTED]
Max Vision writes:
The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors".
[ snip ]
% dig @ns.example.com authors.bind chaos txt
I've been playing some with BIND 9.1.0, and have found that queries
like this can be suppressed using the new "view" capability. I now
have in my named.conf, the following:
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint ;
file "/dev/null";
};
};
and a similar entry for hesiod records. Queries then against either
chaos or hesiod records will come back as "servfail".
Alternatively, creating your own "bind." domain with CH, rather than
IN, records for SOA and TXT data will override hardcoded values. I've
also got a "bind." domain that has this record:
version.bind.0ch txt "Who knows"
so that if I don't use a "view" to block chaos records, then at least
I give out only information that I want to give out.
--
Randall Raemon
shikahr.com.inter.net, email to rlr
--
William Colburn, "Sysprog" [EMAIL PROTECTED]
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
