Deocs Postmaster wrote:
>
> At 07:54 AM 05/07/2001 , you wrote:
> >Deocs Postmaster wrote:
> > > From telnet HEAD / HTTP/1.0 returns the type of server,
> > > installed modules, and other information.
> >
> > > Why is this information so openly disclosed, and is
> > > there an easy way to disable or modify it?
> >
> >Do you think hiding your apache version number will save you from
> >hackers? Security through obscurity is no security. A typical hack
> >program looks like this:
> >
> >foreach (@list_of_hosts_to_hack) {
> > my $version = get_apache_version_number($_);
> >
> > if (defined($version)) {
> > do_fiendish_hack($_);
> > }
> > else {
> >
> > # Drat! hackee has hidden version number!
> >
> > do_fiendish_hack_anyway($_);
> > }
> >}
> >
> >If you really want to hide it, use the ServerTokens directive.
>
> It appears the current default is that the server disclose this information.
Correct. Why shouldn't it?
I understand your feeling that we should not hand out things on a plate
to hackers but if you reflect on it, a sys-admin's job is not to make
hacking a little bit more difficult, it is to make hacking impossible.
Your security should rely on a firewall, well-installed utilities and a
robust OS - not on no-one guessing your server type, OS and whether or
not you have a few commonly-used modules installed. Your system should
be so secure that even if a hacker is in possession of your full server
spec he still can't get in.
Put it another way, if you build a burglar-proof wall around your house
that no-one can get through - does it matter if you publish your address
and even tell them what the bricks are made of?
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
