Hi there,
On 13 May 2001, Michael T. Babcock wrote:
> On 11 May 2001 19:49:46 -0400, R. DuFresne wrote:
> > > Hire someone who can.
> > >
> >
> > Who makes claims they can totally secure a system connected to the
> > internet from ever being compromised? What person or company offers such
> > a guarantee?
>
> Several offer guarantees almost that good.
>
> Do your research.
>
> Incidentally, Apple made that claim about one of their own webservers
> .. as did IBM.
Sorry guys, but this conversation is really drying up. How much can one possibly
say about changing server version strings before it's all been said??
In the vague hope I might find something new to contribute - my $0.02 ... keep
monitoring your servers and networks, security isn't a TRUE/FALSE so you don't
have a choice (no matter what Apple, IBM, or even the ASF for the matter, might
say). If someone claims their server/system is bullet-proof, stop doing
business with them - if they don't understand security then there's little hope
they can provide much of it to you.
If you want to screw round with your server string - go ahead, it doesn't hurt
(unless of course you change it to "Bullet-proof! version 0.1-alpha", that may
backfire on you). It's also probably a good idea to run an HTTP-to-HTTP proxy in
front where the proxy and server are different versions or even different
programs; try and force at least some of the possible classes of attack to find
a chain of exploits both servers. And most of all, plan for an exploit - don't
waste your time talking about how to shut it out completely, that's a fool's
errand. Take all precautions you can to reduce the risk of it happening (and
keep doing so), keep listening and watching others as the classes of "risk" you
consider may be missing some really big and obvious things, take all measures
you can to detect an intrusion if it happens, and take all logistical measures
you can to ensure that the consequences of a successful intrusion (ie. the
business or personal impact) can be controlled - don't wait for it to happen to
see what you would do. Do the thinking and planning now while you've got the
time and benefit of everyone not screaming at you.
Security is risk management. Altering a server version string?? ... well ... I
agree that it's not going to dramatically increase security, but boldly stating
the exact server version you *are* running in some kind of arrogant "do your
worst, this version is too good for you" mindset is certainly one of the least
intelligent things a responsible architect/admin could do. I run various things
to (try and) stop people looking for information on what I'm running (eg.
portscanning) - I try to avoid giving them a clear look on the ignorant
assumption that what they see would somehow make them think "ooh, he's running
great stuff, let's go elsewhere". If you think changing server version strings
(this goes beyond just webservers of course) fits your risk management policy,
go for it. However, it changes very little of what else you should and should
not do.
Sorry for continuing the thread ... I'd meant to try and contribute something
new but probably haven't. Oh well. ;-)
Cheers,
Geoff
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
