Am 08.01.2012 21:06, schrieb Ian Pilcher: > On 01/06/2012 11:31 PM, Reindl Harald wrote: >> yes, i know it is security by obscurity >> but does it hurt? > > Yes, it hurts. > > It hurts every time we make life a little more difficult to satisfy > someone's misguided idea of "securitee". I refer you to the > Transportation Security Administration if you have any doubt of this. there are no misguided ideas EVERY security specialist will tell you that you should never disclose details, versions, configurations - NEVER if you can avoid it you need an example? * disclose as defaults do OS, Apache-Version und PHP-Version * what needs an attacker to do? * receive ANY page, analyze the header * after that he knows EXACTLY what exploits are working if you do NOT disclose this informations he must try every possible exploit - this will only happen if you diretly targeted but in the real world there are thousands of bots searching for vulerable services 24 hours a day on the whole web and if a signature matches someone is getting notified if you are not aware of this fact i recommend you some education in security! SSH was here only an example i meant GENERALLY how fedora/RHEL is dealing with defaults _______________________ this is a worst-case example of a ubuntu-server and the default footer if a directory-listing (only after authentication but a software-source i know which i do not disclose here) Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.14 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at **** Port 80 and such things are only happening if maintainers do not choose defaults with care - if you are too late with a security update or there is a known vulerability with no updates yet you are blowing out that you are vulnerable which is the same as a documentation how to get hacked!
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
