On 01/08/2012 01:46 PM, Reindl Harald wrote:
Am 08.01.2012 21:06, schrieb Ian Pilcher:
> On 01/06/2012 11:31 PM, Reindl Harald wrote:
>> yes, i know it is security by obscurity
>> but does it hurt?
>
> Yes, it hurts.
>
> It hurts every time we make life a little more difficult to satisfy
> someone's misguided idea of "securitee". I refer you to the
> Transportation Security Administration if you have any doubt of this.
there are no misguided ideas
EVERY security specialist will tell you that you should never
disclose details, versions, configurations - NEVER if you
can avoid it
you need an example?
* disclose as defaults do OS, Apache-Version und PHP-Version
* what needs an attacker to do?
* receive ANY page, analyze the header
* after that he knows EXACTLY what exploits are working
if you do NOT disclose this informations he must try every
possible exploit - this will only happen if you diretly
targeted
but in the real world there are thousands of bots searching
for vulerable services 24 hours a day on the whole web
and if a signature matches someone is getting notified
if you are not aware of this fact i recommend you some
education in security!
SSH was here only an example
i meant GENERALLY how fedora/RHEL is dealing with defaults
_______________________
this is a worst-case example of a ubuntu-server and the
default footer if a directory-listing (only after authentication
but a software-source i know which i do not disclose here)
Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.14
with Suhosin-Patch
mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at **** Port 80
and such things are only happening if maintainers do not choose
defaults with care - if you are too late with a security update
or there is a known vulerability with no updates yet you are
blowing out that you are vulnerable which is the same as a
documentation how to get hacked!
So from my logs. Not a probe first, just plain trying to get data using
a hopeful exploit. They don't care what version of anything I'm running.
/chronoPopup.php?PERIOD=../../../../../../../../../../etc/passwd%00 HTTP
Response 200
/chronoPopup.php?PERIOD=/etc/passwd HTTP Response 200
/chronoPopup.php?PERIOD=/../../../../../../../../../../proc/self/environ%00
HTTP Response 200
/chronoPopup.php?PERIOD=../../../../../../../../../../proc/self/environ
HTTP Response 200
/chronoPopup.php?PERIOD=../../../../../../../../../../etc/passwd
HTTP Response 200
/chronoPopup.php?PERIOD=/../../../../../../../../../../etc/passwd%00
HTTP Response 200
/chronoPopup.php?PERIOD=/../../../../../../../../../../etc/passwd
HTTP Response 200
I realize it looks like they got the files they wanted, but in reality
it ignored the request and sent the data it always does...
In any case, I still get tons of requests for Default.aspx, as well as a
whole host of requests for IIS vulnerabilities. Even though I run Linux
and Apache. Hiding the version changes nothing. The software doing all
this scanning simply *tries* to exploit, not find out exploitable
machines so it can tell some random human to then run a script against
it....
--
Nathanael d. Noblet