> -----Original Message-----
> From: Davide Libenzi [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 05, 2002 10:33 AM
> To: XMail mailing list
> Subject: [xmail] Re: greeting banner
>
>
> ok, we have two different scenarios here :
Some would say three scenarios
>
> 1) someone is explicitly attacking you ( your IP )
>
> 2) someone is scanning open ports and trying exploits over them
3) some script kiddie read about a specific exploit on IRC or in a
newsgroup and is searching for a system to try it on
>
> in case 1) he will try every explit in case of hidden banner
> because he is attacking _you_, so the time spent firing
> different exploits is not a problem. in case 2) the time
> spent to find open ports on different IPs is way longer than
> the time spent to fire exploits. as i told you before, an
> open port is a precious resource and is case of obfuscated
> banner you can bet your brand new car that the attacker will
> fire you all known exploits for that port. you can say : "but
> XMail explicitly tells the OS and the CPU type !!". oh, that
> one is very difficult to guess ... the analisys of TCP stack
> responses can quite easily let you know the OS and about the
> CPU your domain is pretty limited. imho, hiding banner is a
> mental masturbation of some loser security "expert" ...
>
In case 3) this kid's friend wrote a shell script to scan a list of IP
addresses and output the banners to a file. All the kid has to do is
find the banner that declares "I'm not up-to-date, please exploit me"
and run the exploit against that IP. This is likely "genius" activity in
the mind of the script kiddie, especially when they don't know what a
buffer or a port scan is.
>
>
> - Davide
>
Some of us feel that this type of threat is much more common than the
highly skilled cracker out to destroy you and your data. In today's
environment of publicly announced security vulnerabilities and their
exploit code coming around on a daily basis, it stands to reason that
many bored teenagers with high-speed broadband and a "kick-butt Linux
box" may find these exploits "interesting". This environment also
creates a situation where you have only days or hours or even minutes
from the time the vendor releases a patch/update to the time the exploit
code is released. Sometimes the exploit is released before the vendor
can release the fix, too. All the teen has to do is find a box that
isn't updated yet and they have their pigeon. This is the
simple-yet-common threat where a simple line of text in a config file
can __help__ protect your system until you update/upgrade.
Sure, serious crackers don't care about banners because they know the
banner can't always be trusted. But serious crackers will likely find a
way to compromise your system no matter what you do. If the admin can
configure a server/OS/firewall/etc to disallow all non-essential traffic
and hide what they cannot disable altogether, then the admin is doing
their job. Admins aren't in the business of writing or fixing code. As a
matter of fact, not all open source software users look at or care about
the source code. In my opinion, it's the job of the server developer to
provide functionality for the admin in addition to providing
functionality to the end user.
Finally, I'd like to say this: all this over a string of text? I like
the FAQ idea. That's my $0.02 - if you disagree then by all means keep
this flame going!
Kevin
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]
