Ralf Corsepius <rc040203@xxxxxxxxxx> wrote: > On Thu, 2007-02-01 at 01:05 -0300, Horst H. von Brand wrote: > > Ralf Corsepius <rc040203@xxxxxxxxxx> wrote: > > > > [...] > > > > > Many servers/service return an id-string identifying the version of a > > > particular piece of SW - If this string is correct it, it provides clear > > > information to which vulnerabilities it is likely to be vulnerable. > > > > In my experience, the use of those for troubleshooting is much more > > important than any vulnerabilities exposed this way. Crackers (particularly > > automated attacks) usually just dive in, without any regard to any version > > strings. Besides, it is easy to guess (quite accurately, via something like > > nmap) what is at the other end. Hiding what you are running is an example > > of what is dismissed with the quip "Security through obscurity, isn't". > It will surprise you: I share this opinion. > Nevertheless, it's still seems pretty common practice. Yes, as the saying here goes, if dumb people could fly, you'd never see the sun. > > It > > is uniformly regarded as almost completely useless. Fix the vulnerabilities, > > don't pretend they aren't there. > I've recently read an article, claiming that most server attacks these > days would be quite simple ("Is this a win server? If yes, attack, if no > stop the attack.) because the overall amount of "easy to intrude, > wide-open, high-bandwith home-servers" would make deep crack attacks > against "real servers" less attractive. Why? Most attacks go after "easy targets" (obviously), mostly because they are after numbers of anonymous machines, not particular machines. And the most realiable way to find out if something is an crackable target or not is just to try the attack. Fell for one recently, on rawhide PAM got broken and random passwords worked against disabled accounts. Hole lasted less than a day, but "just try stupid passwords against common account names over SSH" got them into an otherwise well protected machine. Crackers have almost unlimited computing power at their disposal (other cracked machines by the score), so careful scouting before a planned attack isn't needed at all. That doesn't mean deep attacks aren't going on, but they are much less visible overall (because they are few in between, better planed (and thus less easy to detect), and many targets have a high embarrasment factor to booth). > This article also claimed that there is a market for people collecting, > validating and selling such "potentially vulnerable" addresses esp. to > spammers. Sure thing. > This would indicate the issue is less "not to pretend to have a bug > fixed", but to let a machine appear unattractive for being a candidate > for a deeper attack. > Now, it's up to the beholder to draw his conclusions. Is a machine > identifying as "Fedora linux i386" or "WinServer XYZ" or not providing > an id is more likely to be attacked? - I don't know. I'd guess it makes very little difference. > > > Therefore many server admins use faked id-strings or don't provide this > > > kind of information. > > That is detrimental to legitimate uses, > Legitimate uses should not need them at all. They do. Why doesn't that MTA blackhole mail from here? Oh, yet another badly configured Trend Micro anti-spam thingie. Grelisting stops all mail from some.site.org? An Exchange who hasn't got a clue about 400 error messages. Those are just two recent examples here. Yes, standards are terrific, but next to nobody implements them correctly, and knowing what you are talking to goes a long way to finding out why things break. > > and stops no cracker. > True. Real crackers will probe and find out. Or just dive in just in case. -- Dr. Horst H. von Brand User #22616 counter.li.org Departamento de Informatica Fono: +56 32 2654431 Universidad Tecnica Federico Santa Maria +56 32 2654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 2797513 -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list