RE: [suse-security] Hide/Change MTA Mailheader
thats security by obscurity and not usefull
Oh, obscurity does have its place in security. You mustn't rely on it in any way, but you can well use it to make it somewhat harder for an attacker. After all, there's no point in making it easier for them. Consider it one building block in the tower of security. A rather small one. Cheers, Tobias
On Tue, Oct 08, 2002 at 09:10:50AM +0200, Reckhard, Tobias wrote:
thats security by obscurity and not usefull
Oh, obscurity does have its place in security. You mustn't rely on it in any way, but you can well use it to make it somewhat harder for an attacker. After all, there's no point in making it easier for them. Consider it one building block in the tower of security. A rather small one.
Hiding the identity of your MTA is somewhat hard. You can change sendmail to not announce itself in the Received header, alright. You can also change SmtpGreetingMessage otherwise it'll still be recognizable by its SMTP banner. But that's not where the story ends. There are many telltale signs by which you can identify MTAs. Sendmail for instance will always reply "Hello ..., pleased to meet you" in response to EHLO/HELO while Postfix replies "hostname ESMTP ....". The set of ESMTP extensions supported also differs between MTAs and even different versions of the same MTA. The general syntax of the Received header also differs between MTAs, as does the SMTP id included. Sometimes it may even be possible to identify different versions - it seems sendmail changed the SMTP id format from "[A-Z]AA[0-9]*" in 8.9 to something like "g[0-9A-F]*" in 8.11. In short, you will be able to fool dumb scanners but not the eye of a human. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
At Dienstag, 8. Oktober 2002 10:04 Olaf Kirch wrote:
In short, you will be able to fool dumb scanners but not the eye of a human.
But when a new vulnerability sees the light, I would be happier not to have my machine's IP plus software versions in one of the "private" databases. I don't see a technical reason to advertise software + version. Could it be, that the differences in our oppinion come from the fact, that you are working for SuSE? You are "seen" and probed anyway. But I tell you, if you are a small animal, you are happy not to be seen (at least not to be seen too clearly) in the jungle. Greetings -- Michael Zimmermann (http://vegaa.de)
On Tue, Oct 08, 2002 at 10:32:04AM +0200, Michael Zimmermann wrote:
I don't see a technical reason to advertise software + version.
There is none, agreed.
Could it be, that the differences in our oppinion come from the fact, that you are working for SuSE? You are "seen" and probed anyway.
No, not really. I work for SuSE as a developer; we have an IS department that is in charge of worrying about MTAs and mopping up any mess (and I'm quite that this is _not_ my job anymore :) My private boxes are "small fry" just like yours - and I can tell you that these small boxes get scanned just as the big ones do. And the real scans don't bother with checking any fancy version numbers in SMTP banners - they send the exploit right away. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
participants (3)
-
Michael Zimmermann -
Olaf Kirch -
Reckhard, Tobias