Re: [users@httpd] Is it more secure to only return 200 and 404 error codes?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/13/06, Robert Hulme <robert.hulme@xxxxxxxxx> wrote:

The suggestion has been made to me that it is more secure to configure
Apache to only return 200 and 404 error codes (or something similar)
so that situations that would return any other 4xx or 5xx code will
return 404 codes.

The reasoning given for this is that it limits the amount of
information available to a cracker about what is available from the
webroot / how Apache is configured.

This doesn't seem to be a good idea to me as it seems that it would
violate the principle of returning appropriate error codes as defined
in RFC 2616.

I am really interested in the opinion of other Apache users /
developers though - as I need to have a robust case for action
whichever direction turns out to be the best.

I have also been told that it is 'more secure' to hide the Apache
version number in error reports / etc. This also sounds like 'security
by obscurity' to me but again I would really appreciate any robust
comments from you guys.


It is also more secure to unplug your network cable.  But it won't get
you very far.

My response to suggestions like this is that you don't do much good
because there are basically two types of crackers to worry about:
1) Stupid script kiddies and worms who don't care what your server
returns; they just try every possible exploit on every possible
server; and
2) Smart hackers who can easily figure out your version of apache and
the structure of your site regardless of what options you turn off.

And I don't buy the argument that it doesn't cost anything.  It costs
your time to make these silly config changes when you could be
worrying about real security issues.  And it costs your time again
when you can't get proper debugging information from the server
because you've turned off all the useful feedback.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux