Ralf Corsepius <rc040203@xxxxxxxxxx> wrote: [...] > Many servers/service return an id-string identifying the version of a > particular piece of SW - If this string is correct it, it provides clear > information to which vulnerabilities it is likely to be vulnerable. In my experience, the use of those for troubleshooting is much more important than any vulnerabilities exposed this way. Crackers (particularly automated attacks) usually just dive in, without any regard to any version strings. Besides, it is easy to guess (quite accurately, via something like nmap) what is at the other end. Hiding what you are running is an example of what is dismissed with the quip "Security through obscurity, isn't". It is uniformly regarded as almost completely useless. Fix the vulnerabilities, don't pretend they aren't there. > Therefore many server admins use faked id-strings or don't provide this > kind of information. That is detrimental to legitimate uses, and stops no cracker. -- Dr. Horst H. von Brand User #22616 counter.li.org Departamento de Informatica Fono: +56 32 2654431 Universidad Tecnica Federico Santa Maria +56 32 2654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 2797513 -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
