OK, I now see this is an old discussion which I shouldn't have
re-visited.
My problem is: I have a security audit done by a reputable
organisation (National Computing Centre, UK) and I have
to deal with their findings. I'm well aware most serious
hackers won't bother with trivia like the "Server:" header.
But it was raised as an issue and if I'm not going to do
anything about it then I have to justify that to the boss.
Having read the Developer list archives I guess I now have
the information I need...
Simon Ashford.
-----Original Message-----
From: jslive@xxxxxxxxx [mailto:jslive@xxxxxxxxx]On Behalf Of Joshua
Slive
Sent: 24 January 2007 21:50
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Removing or overwriting "Server" header
field.
On 1/24/07, Richard de Vries <richard_devries@xxxxxxxxx> wrote:
> I have modsecurity running on my apache instances, and
> I often see all kinds of IIS exploits hitting my box.
> This then gives me time to look thru my various apache
> and firewall logs, and take some corrective measures
> like for instance slapping some IPTables rules on the
> box to block that IP.
Have you looked at some of the previous threads on this topic? I'm guessing no.
Have you ever investigated how many people who DO NOT hide their
apache Server identity also get hit by huge quantities of IIS attacks?
The number is close to 100% from my observations.
Here's the trick: There are basically two types of "crackers" you need
to worry about, script-kiddies, and sophisticated hackers. The first
type will try every possible exploit on every server they can find;
they rarely if ever bother to look at the Server header or anything
else. The latter type can easily figure out what kind of server
you're running very unobtrusively whether or not you display the
Server header. So in neither case will hiding the Server header buy
you anything at all.
Your argument seems to be that there may be a small number of crackers
in between those two groups that might be delayed by a few minutes if
you hide your Server header. I don't see any evidence that such
crackers actually exist. And even if they did, your time would be
much better spent worrying about real security issues than putting a
tiny roadblock in their way.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-------------------------------------------------------------------
This e-mail and any attachments may contain confidential and/or
privileged material; it is for the intended addressee(s) only.
If you are not a named addressee, you must not use, retain or
disclose such information.
NPL Management Ltd cannot guarantee that the e-mail or any
attachments are free from viruses.
NPL Management Ltd. Registered in England and Wales. No: 2937881
Registered Office: Serco House, 16 Bartley Wood Business Park,
Hook, Hampshire, United Kingdom RG27 9UY
-------------------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|