service version disclosure
Chris Adams
cmadams at hiwaay.net
Sat Jan 7 07:49:20 UTC 2012
Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
> no, one keys of security is to provide as less informations as
> absolutely necessary, not only for sshd, for every single
> service
That's a key for a false sense of security.
> in the best case no single foreign person has an idea
> what software you are currently running, not what OS
> nor what service-software and at least no exact version
Then go ahead cut the power cord. Things such as TCP fingerprinting
will always work (because no two IP stacks are identical). Connecting
to a service will often be able to identify it because no two programs
implement standards the same way.
If you think you need that level of security, you need to run a full
application-level proxy in front of every server, and then watch it
break regularly (because they never get all the application filtering
correct). Then wait for the security holes in the proxy.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the devel
mailing list