Am 11.08.2012 15:51, schrieb Michael Meyer: > *** Reindl Harald wrote: >> Am 11.08.2012 14:17, schrieb Michael Meyer: > >>>> "Security By Obscurity" is not a good security >>>> but it is a dmaned good ADDITIONAL security for still hardened machines >>> >>> No. It implies no safety gain >> >> you really try to explain me that there is no difference between >> hide what webserver type you are running instead blowing out >> >> Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze6 with Suhosin-Patch >> mod_python/3.3.1 Python/2.6.6 mod_ssl/2.2.16 >> OpenSSL/0.9.8o >> X-Powered-By: PHP/5.3.3-7+squeeze6 >> >> with each single response? >> >> this is nonsense! > > To believe that this increased security is just wrong. Hiding the > banner doesn't make a webserver (or other services) more secure
it makes it not secure by the defintion of secure but it makes automated attacks followed by simplest scans less likely in the timewindow between release of a security update and install it on the machine if you try to get "new members" of your botnet what would you do? * try every possible exploit on every machine you find * try specific exploits on machines which tell you exact patchlevel i would do the second because the first takes way too long and would wake up every IDS and rate-control
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
