Am 21.03.2012 13:48, schrieb Tim Bannister: > On 21 Mar 2012, at 12:39, Reindl Harald wrote: > >> 1 out of a million servers needs TRACE enabled >> >> it was ALWAYS a good idea to disable ANYTHING by default what is not really >> needed and this principle will stay > > inetd normally ships with echo not running, but kernels usually ship with > ICMP enabled. > I think TRACE is more like ICMP echo than tcp/7 echo.
strange comparision > If a distribution wants to ship a default configuration that > disables TRACE, isn't that enough? no, because distributions in the most cases are expecting that the upstream defaults are usefull and have reason > The issue is naïve / lazy server admins, and almost all of those > will install httpd from a distribution OK, so you call me "lazy" and "naive" because i heard about TRACE the first time after complaints of a security audit of a big customer while i spent many nights to search about server hardening the last years? fact is that nessus-scans usually complaining about TRACE on and depending on the policies of the customer you MUST disable it while you even not knew waht it is, that it is enabled and hell i do not find any case where it could be useful
signature.asc
Description: OpenPGP digital signature
