On 01/08/2012 01:46 PM, Reindl Harald wrote:
Am 08.01.2012 21:06, schrieb Ian Pilcher:
On 01/06/2012 11:31 PM, Reindl Harald wrote:
yes, i know it is security by obscurity
but does it hurt?
Yes, it hurts.
It hurts every time we make life a little more difficult to satisfy
someone's misguided idea of "securitee". I refer you to the
Transportation Security Administration if you have any doubt of this.
there are no misguided ideas
EVERY security specialist will tell you that you should never
disclose details, versions, configurations - NEVER if you
can avoid it
you need an example?
* disclose as defaults do OS, Apache-Version und PHP-Version
* what needs an attacker to do?
* receive ANY page, analyze the header
* after that he knows EXACTLY what exploits are working
if you do NOT disclose this informations he must try every
possible exploit - this will only happen if you diretly
targeted
but in the real world there are thousands of bots searching
for vulerable services 24 hours a day on the whole web
and if a signature matches someone is getting notified
if you are not aware of this fact i recommend you some
education in security!
SSH was here only an example
i meant GENERALLY how fedora/RHEL is dealing with defaults
_______________________
this is a worst-case example of a ubuntu-server and the
default footer if a directory-listing (only after authentication
but a software-source i know which i do not disclose here)
Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.14 with Suhosin-Patch
mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at **** Port 80
and such things are only happening if maintainers do not choose
defaults with care - if you are too late with a security update
or there is a known vulerability with no updates yet you are
blowing out that you are vulnerable which is the same as a
documentation how to get hacked!
So from my logs. Not a probe first, just plain trying to get data using
a hopeful exploit. They don't care what version of anything I'm running.
/chronoPopup.php?PERIOD=../../../../../../../../../../etc/passwd%00 HTTP
Response 200
/chronoPopup.php?PERIOD=/etc/passwd HTTP Response 200
/chronoPopup.php?PERIOD=/../../../../../../../../../../proc/self/environ%00
HTTP Response 200
/chronoPopup.php?PERIOD=../../../../../../../../../../proc/self/environ
HTTP Response 200
/chronoPopup.php?PERIOD=../../../../../../../../../../etc/passwd
HTTP Response 200
/chronoPopup.php?PERIOD=/../../../../../../../../../../etc/passwd%00
HTTP Response 200
/chronoPopup.php?PERIOD=/../../../../../../../../../../etc/passwd
HTTP Response 200
I realize it looks like they got the files they wanted, but in reality
it ignored the request and sent the data it always does...
In any case, I still get tons of requests for Default.aspx, as well as a
whole host of requests for IIS vulnerabilities. Even though I run Linux
and Apache. Hiding the version changes nothing. The software doing all
this scanning simply *tries* to exploit, not find out exploitable
machines so it can tell some random human to then run a script against
it....
--
Nathanael d. Noblet
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
