On 6/13/06, Robert Hulme <robert.hulme@xxxxxxxxx> wrote:
The suggestion has been made to me that it is more secure to configure Apache to only return 200 and 404 error codes (or something similar) so that situations that would return any other 4xx or 5xx code will return 404 codes. The reasoning given for this is that it limits the amount of information available to a cracker about what is available from the webroot / how Apache is configured. This doesn't seem to be a good idea to me as it seems that it would violate the principle of returning appropriate error codes as defined in RFC 2616. I am really interested in the opinion of other Apache users / developers though - as I need to have a robust case for action whichever direction turns out to be the best. I have also been told that it is 'more secure' to hide the Apache version number in error reports / etc. This also sounds like 'security by obscurity' to me but again I would really appreciate any robust comments from you guys.
It is also more secure to unplug your network cable. But it won't get you very far. My response to suggestions like this is that you don't do much good because there are basically two types of crackers to worry about: 1) Stupid script kiddies and worms who don't care what your server returns; they just try every possible exploit on every possible server; and 2) Smart hackers who can easily figure out your version of apache and the structure of your site regardless of what options you turn off. And I don't buy the argument that it doesn't cost anything. It costs your time to make these silly config changes when you could be worrying about real security issues. And it costs your time again when you can't get proper debugging information from the server because you've turned off all the useful feedback. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx