On 2001.10.20, Jim Wilcoxson <[EMAIL PROTECTED]> wrote: > To me, security is a sequence of roadblocks. It is never perfect, but > I see no reason to remove roadblocks because they are not 100% > effective. I could stop locking my home's front door since it can be > broken with a large pair of ChannelLocks, but I don't.
We're all familiar with the cliche, "Locks only keep honest people out." In this case, the "honest people" are just those looking to do some analysis on webserver types and so on. Perhaps even those who are looking to proactively protect people out there running insecure systems -- probe machines and notify owners if they're running known vulnerable versions of services. I considered starting this very service three years ago -- gave up on it because I didn't have enough faith in humankind to actually DO anything about the notifications, and so didn't want to waste my time. Hackers and denial-of-service attackers don't need nor care about your Server: header. It's quicker and easier for them to create "rootkits" which try every known exploit in brute-force style until the server either yields or the rootkit exhausts its search space. So, by removing the Server: header you're not protecting yourself any against these folks. Their attacks couldn't care less what type of machine you're running nor the version of your software. This exact behavior pattern can be verified by evidenced of the the recent worms such as Nimda and Code-Red and so on. Do what you will -- removing your Server: header will not protect you any, and it will only defeat honest people from doing what they're trying to do. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)
