At 07:54 AM 05/07/2001 , you wrote:
>Deocs Postmaster wrote:
> > From telnet HEAD / HTTP/1.0 returns the type of server,
> > installed modules, and other information.
>
> > Why is this information so openly disclosed, and is
> > there an easy way to disable or modify it?
>
>Do you think hiding your apache version number will save you from
>hackers? Security through obscurity is no security. A typical hack
>program looks like this:
>
>foreach (@list_of_hosts_to_hack) {
> my $version = get_apache_version_number($_);
>
> if (defined($version)) {
> do_fiendish_hack($_);
> }
> else {
>
> # Drat! hackee has hidden version number!
>
> do_fiendish_hack_anyway($_);
> }
>}
>
>If you really want to hide it, use the ServerTokens directive.
My concern isn't the Apache version number, its more which server is
running (Apache, IIS, something else), what other major modules are
installed (SSL, PERL, ASP, Python, DAV, etc). At the moment IIS has
a hole big enough to drive a truck through, and securityfocus
(indirectly) has examples of the exploit. Currently they have
links to two C programs and one Perl script. My issue isn't with
these vulnerabilities being exposed, its the servers making the
hackers job easier.
I think obscurity is part of security, we hide the password file,
and have rules for making the passwords hard to crack, why make it
any easier than we need to? Disclosing internal file paths is a
no-no, but it amounts obscuring information about the server. As
it stands now, if I wanted to hack into a server I would start by
going to netcraft to learn what kind of server (and features) are
being used, then then to securityfocus to get its vulnerabilities,
maybe even get a sample program showing how to exploit those
vulnerabilities. I think those bits of information would make it
much easier, and part of security is to make it difficult. If the
server didn't disclose its details I wouldn't be starting with
a known set of vulnerabilities and an example program. It appears
the current default is that the server disclose this information.
Regards,
Dave
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
