> Correct. Why shouldn't it?
>
> I understand your feeling that we should not hand out things
> on a plate
> to hackers but if you reflect on it, a sys-admin's job is not to make
> hacking a little bit more difficult, it is to make hacking
> impossible.
>
> Your security should rely on a firewall, well-installed
> utilities and a
> robust OS - not on no-one guessing your server type, OS and whether or
> not you have a few commonly-used modules installed. Your system should
> be so secure that even if a hacker is in possession of your
> full server
> spec he still can't get in.
>
> Put it another way, if you build a burglar-proof wall around
> your house
> that no-one can get through - does it matter if you publish
> your address
> and even tell them what the bricks are made of?
>
> Rgds,
> Owen Boyle.
I hate to disagree, but I think you are both right and both wrong at the
same time. I agree that security through obscurity is little security,
however consider this scenario:
You are the sysadmin for several Apache servers. Each of these has several
modules built in (eg PHP, mod_ssl, Jserv, mod_perl). You have to keep all of
these up to date to prevent hackers from breaking in. However, a security
flaw is found in one of these parts over a weekend. Your system gets hacked
simply because someone can easily find whether you machine is vulnerable.
Why attempt to hack all systems when you can find all the vulnerable ones
quite easily? If a burglar comes across a house with a burglar alarm and the
house next door doesn't have one, he's more inclined to attack the one next
door. Worse still, imagine he finds a note on the door of the second house
saying where the keys are hidden?
It really is not possible to build an entirely secure computer system,
especially if you connect it to the Internet. No matter how much security,
firewalls, etc that you have, you still have to open port 80 (and 443 of
course for SSL) to the whole world.
Therefore we should use all means at our disposal including "security
through obscurity". It should never of course be relied on for all security.
And to actually answer the question, use:
ServerTokens ProductOnly
In your httpd.conf file to limit the information to "Apache".
If you check our site at www.rnib.org.uk you'll find that has already been
done.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
