service version disclosure
Paul Wouters
paul at cypherpunks.ca
Sat Jan 7 10:53:52 UTC 2012
On Sat, 7 Jan 2012, Reindl Harald wrote:
> would it not be a good idea to NOT disclosure service versions?
> https://bugzilla.redhat.com/show_bug.cgi?id=718133
>
> you will more and more have the "problem" of 3rd party
> security scans to your servers and currently in the case
> of openssh the only solution is to tkae the F16-src-rpm
> and rebuild it for your F15 machines
> _______________________
>
> however - why do we spit the current running versions to everyone?
Spitting out versions makes your OWN network monitor easier, as you
can depend on version strings, instead of brute forcing unversioned
services to do a security scan/audit.
With or without versions, attackers will always brute force anyway.
Hiding therefor services no purpose other then make your own process of
inventory harder.
Paul
More information about the devel
mailing list