On Thu, Feb 10, 2011 at 12:59:07PM -0000, Lee Archer wrote: > Thank, I will do some investigation.
Sometimes blocking some TCP flag combinations with iptables can be enough to stop detection. I also happen to set the default TTL to 128 because some tools are confused by that setting mixed with linux-like fingerprints and don't know what OS is running there (netcraft used to report "unknown"). I don't think nmap is fooled by that but you may want to try. BTW, haproxy by itself is detectable too eventhough it does not insert any identification string. There is a tool whose name I just forgot which is able to inject various abnormal patterns and to identify how the server responds. It has specific code to detect haproxy's behaviour, parsing, etc... Your site's security should not rely on the ability to identify the OS or products. Not being able to spot precise versions is important though in case of a 0-day vulnerability. But the fact that you're running haproxy on linux does not preclude what is running behind it. It's even say that the proxy nature of haproxy completely hides what is behind it and prevents the smart products from guessing what is running there. If you consider haproxy as your car's bumper, you should not care about it but about what it's supposed to protect ;-) Regards, Willy
