On Thu, 2007-02-01 at 01:05 -0300, Horst H. von Brand wrote:
Ralf Corsepius <rc040203(a)freenet.de> wrote:
[...]
> Many servers/service return an id-string identifying the version of a
> particular piece of SW - If this string is correct it, it provides clear
> information to which vulnerabilities it is likely to be vulnerable.
In my experience, the use of those for troubleshooting is much more
important than any vulnerabilities exposed this way. Crackers (particularly
automated attacks) usually just dive in, without any regard to any version
strings. Besides, it is easy to guess (quite accurately, via something like
nmap) what is at the other end. Hiding what you are running is an example
of what is dismissed with the quip "Security through obscurity, isn't".
It will surprise you: I share this opinion.
Nevertheless, it's still seems pretty common practice.
It
is uniformly regarded as almost completely useless. Fix the vulnerabilities,
don't pretend they aren't there.
I've recently read an article, claiming that most server attacks these
days would be quite simple ("Is this a win server? If yes, attack, if no
stop the attack.) because the overall amount of "easy to intrude,
wide-open, high-bandwith home-servers" would make deep crack attacks
against "real servers" less attractive.
This article also claimed that there is a market for people collecting,
validating and selling such "potentially vulnerable" addresses esp. to
spammers.
This would indicate the issue is less "not to pretend to have a bug
fixed", but to let a machine appear unattractive for being a candidate
for a deeper attack.
Now, it's up to the beholder to draw his conclusions. Is a machine
identifying as "Fedora linux i386" or "WinServer XYZ" or not
providing
an id is more likely to be attacked? - I don't know.
> Therefore many server admins use faked id-strings or don't
provide this
> kind of information.
That is detrimental to legitimate uses,
Legitimate uses should not need them at
all.
and stops no cracker.
True. Real crackers will probe and find
out.
Ralf