Ok everything is fine , security tips but even server is corectly configured
, with maximum security which i have to set up and permisions to dir s ,
specialy for example on deamon directories such is bin conf log cgi-bin and
so on dirs ok everything is ok but i dont need to show wrong version i dont
need to show any version any banner in this case nothing just for example
when somebody try to do this then he or she :) will get " connection closed
by remote host " without any banners ..
Is it anyway posibile if not ok i just asking and please don't be ungry ,
Thank's again
----- Original Message -----
From: "Yarrel"
-----Original Message----- From: bolo@lupa.de [mailto:bolo@lupa.de] Sent: Wednesday, March 06, 2002 1:40 PM To: suse-security@suse.com Subject: Re: [suse-security] Apache version
[snipped]
Agreed. But it's a common and recommended security practise to hide banners of demons. This is not security through obscurity, but essential.
Most of the the activity in your logs, including hack/exploit attempt are from scriptkiddies who couldn't care less what version your running.
NACK. It's highly important, even for some script kiddies, which versions of demons you're running. Most of the cracker lore deals with version informations and whatnot, because most exploits are designed for distinct versions of the programs they're targeted at. There are more types of attackers "out there" than script kiddies.
I agree! Hence my expression: "everything AND the kitchensink" :o) I´m of course aware of the other types as well. I was merely pointing out that tha majority are scriptkiddies who knows nothing about about comp. security.
The just throw their cookbooks at your IP/firewall regardless.
Yes, they do. And of course it would be silly to hide behind a non-disclosed banner of a vulnerable demon version, but it's perfectly okay to hide versions and demon names of properly installed and sec-hardened servers.
Sure it is. But necessary ? I don´t believe so. Exploits will work regardsless, if the servers vulnerable.
I believe there´s other ways of getting Apache to reveal it´s version too, so this wont work.
That's true, but this isn't as easy as it seems, and commonly is way beyond the scope of an average script abuser.
Agreed
/Yarrel
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here