Users,
Oops, I originated this question. As usual, the group promptly
provided a wide array of perspectives and technical insights.
How to change the signature:
(1) ServerTokens ProductOnly in the config file
(2) apache_src_dist/src/includes/httpd.h in the code
In the end its a configuration question that needs to be
decided for each server. Another question is what are
we trying to protect and from whom:
- The pages displayed (i.e. defacing)
- The information on the server (i.e. data theft)
- Resources required to maintain servers
- Recreational hackers, defacers, resource thieves, competitors
I think its difficult to make things impossible. If someone
wants to get into a server, and they are willing to invest the
time and energy, they can probably do it, signature or not.
There is no shortage of hacking techniques or sites that have
been hacked, including inside jobs and stealing the computer.
The black-grey-white issue is how much do we simplify their job,
and in the end, does what we do really matter?
The bragging rights point also made its way around. If we
cloak our servers too much, then M$ may get (even) more
credit than they deserve.
From a TV-news show a while back I noted that automakers do
drive some cars (that are under development) with cloaks that
cover the car body.
FYI: One of the CULT OF THE DEAD COW pages points to Security Focus
Dave
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
