+++ Abhi [linux-india] <07/05/02 15:52 +0900>:
> Obscuring scares away most of the script-kiddies.
Hehehe... you really think so? 90% of the kiddies are brute force
exploiters, who will blindly try whatever exploit they have on hand, till one
succeeds. They wont bother to fingerprint OSs / mailservers etc to try only
relevant exploits.
> If you are clueless enough to sit smug and advertise all so helpful info in
> your banners, god help your network when a new exploit comes out. A hacker
And munging your smtp banner helps for that just how? God help your network
when a new exploit comes out anyway, if you run sendmail 8.6 with 220
hostname esmtp in the banner (say).
s/hacker/cracker/ (cue Philip Tellis...)
> I suppose, all the security veterans that advise changing your service
> banners are completely clueless by your standards ?
Reminds me of a recent thread between Dave Sill and Neil Rickert on
comp.mail.sendmail a while back.
I won't say clueless - but I _will_ say that munging version headers is utter
rubbish.
> But I'd rather not have clueless script kiddies filling up my logs and
> generating false alarms... and thus making it difficult to detect and stop
So, filter them out... a little mod_perl (search for Nathan Torkington's
vermicide, for example) takes care of all the nimda crap filling up your
logs. Portsentry / other IDS which dynamically adds nullroutes or iptables
deny rules against cracker IPs is another way to do this.
> Ever cared to look at the sshscan etc. ? It tries to scan for particular
> versions of ssh. Also try reading the archives of the nmap mailing lists.
Yeah. Seen those. Again, the vast majority of crackers - I say this from
a look at all the logs I have with me right now, and it is a LOT of logs -
don't know or care about OS versions, or banners, or whatever. So, it is
pointless to munge them out.
And, as you point out, tools to fingerprint the OS and software exist.
However much you edit out version info.
> Lots of sysadmins would go as far as modifying the TTL values etc. to
> resemble some other system.
And manage to break several other things while they are at it. Playing with
the ttl values to make a NT machine look like openbsd (or vice versa) is a
stupid waste of time and resources, and severely impacts performance, to
boot.
> Is there anything wrong with taking one *more* security measure ? Will you
> actually not be able to live without displaying the version number of your
> MTA ?
An unnecessary, and totally bogus security measure, which engenders a false
sense of security. Kind of like "the emperor's new clothes".
> Thieves *will* snap open the lock on your frontgate in seconds with a
> crowbar... Does that necessarily means that you should give up on the locks
> ?
No... wrong example. What you are saying is "put a cheap brand of lock on
your door, and stamp Godrej Nav Tal on it, or maybe chisel out the lock's
brand name from the lock"
> Did you by any chance, *really* read my mail thoroughly and stumble across a
> technique I referred to, called firewalking ? Search for it on google and
> than tell me your objections...
I know. I saw that. My objection still stands.
> --clue-- ... he doesn't *needs* to break into the firewall... go look up the
OK - so he manages to find out the internal network details by firewalking.
Fat bloody lot of good it does for him, if he can't actually get into that
network. Which he can't, unless he manages to get into that firewall first.
> And do you seriously intend to imply that divulging all the intenal details
> of one's network structure/addressing on a public list is a *good and
> commendable* security policy ?
Good? Commendable? Maybe not, especially if you are running a network
which is fully routable over the internet (well, there's stuff like
portscans, or a simple dns AXFR to give you details, in such a case...).
Yup, yup, I know allowing AXFR to all and sundry is bad, and I personally
don't allow that on any of my nameservers, but nslookup and dig will give you
quite a lot of usable information, even if you think it is "a secret".
However, as the OP (nepali admin's) network is an RFC 1918 network, and
basically unreachable over the 'net, I still don't see your point.
-srs
--
Suresh Ramasubramanian <----> mallet <at> efn dot org
EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin
[Linux One Stanza Tip] From : <[EMAIL PROTECTED]>
LOST #045 -**< Sub : Console boot (debian systems) >**-
To boot into console with xdm/ gdm/ kdm installed, changing
at /etc/inittab does not help. Use the [update-rc.d] program
meant for changing init parameters in Sys-V init process. All
system startup links for /etc/init.d/xdm will be removed. viz
#update-rc.d -f xdm remove (or gdm / kdm)
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
