On Thu, 5 Sep 2002, Lars Troen wrote:
> There are several references describing why it is a Good Thing(tm) to = > edit the banner: > http://www.ibm.com/linux/Securing_Linux_Servers_xSP_external.pdf > http://rr.sans.org/infowar/fingerprint.php > http://www.net.ohio-state.edu/security/talks/199x_state-of-the-hack/state= > -of-hack.pdf > http://www.csnc.ch/downloads/docs/hardening/SolarisHardening_CSNC.pdf > http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/e2ks= > ec03.asp > > http://www.greyhats.org/outils/smtpscan/remote_smtp_detect.pdf = > (identifies xmail too) > > While some might consider this as -security by obscurity- that might = > give a false sense of security. It still helps a _bit_. And every little = > bit helps. > > All security scanners also checks for such banners and xmail will give = > much info on the scanned system: mail service, os, date, timezone. While = > some of these data can be retrieved by other means (os: nmap, date: icmp = > request) you should usually try to make it as hard as possible. As we've = > found in one of the documents above, also xmail can be successfully = > identified without the use of greeting banners (along with 76 other mail = > servers (including different versions of the same software)). > > While xmail might not get this feature any soon, there are many commonly = > used mail servers that has this feature available now. IMHO such a = > feature is useful. ok, we have two different scenarios here : 1) someone is explicitly attacking you ( your IP ) 2) someone is scanning open ports and trying exploits over them in case 1) he will try every explit in case of hidden banner because he is attacking _you_, so the time spent firing different exploits is not a problem. in case 2) the time spent to find open ports on different IPs is way longer than the time spent to fire exploits. as i told you before, an open port is a precious resource and is case of obfuscated banner you can bet your brand new car that the attacker will fire you all known exploits for that port. you can say : "but XMail explicitly tells the OS and the CPU type !!". oh, that one is very difficult to guess ... the analisys of TCP stack responses can quite easily let you know the OS and about the CPU your domain is pretty limited. imho, hiding banner is a mental masturbation of some loser security "expert" ... - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
