service version disclosure
Reindl Harald
h.reindl at thelounge.net
Mon Jan 9 01:42:10 UTC 2012
Am 09.01.2012 02:36, schrieb Nathanael Noblet:
> On 01/08/2012 04:24 PM, Reindl Harald wrote:
>> and you think that some random examples prove anything?
>> some webserver logs are showing nothing about real exploits
>>
>> there was and there will be exploits you will never see
>> in your webserver-log because if they worked CODE was
>> executed in the context of your webserver
>>
>> fact is that nobody out there needs to know your software-version
>> for something useful and one of the most important rules in
>> server-administration disable and disclose ANYTHING which is not
>> explicit needed to prevent exploit-cases you can not imagine
>> while configure your machine
>
> Umm aren't you saying precisely what everyone is saying?
no, maybe you should read AND try to understand
> "fact is that nobody out there needs to know your software-version for something useful"
> Which was the point of my weblog examples. I am aware that it means nothing except
if something is not needed for any useful things it should not disclosed
you are missing administration basics
> So displaying changes nothing
it changes the fact that there are bots scanning 24 hours a day
for specific exploits and these individuals are NOT trying all possible
exploits all day long!
if a software-package, information, disclosure is NOT NEEDED it has
to be disabled - again: take some security education!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120109/c3a76422/attachment.sig>
More information about the devel
mailing list