[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Version strings [Was: Re: Smolt: Fedora Hardware Profiler]



On Thu, 2007-02-01 at 01:05 -0300, Horst H. von Brand wrote:
> Ralf Corsepius <rc040203 freenet de> wrote:
> 
> [...]
> 
> > Many servers/service return an id-string identifying the version of a
> > particular piece of SW - If this string is correct it, it provides clear
> > information to which vulnerabilities it is likely to be vulnerable.
> 
> In my experience, the use of those for troubleshooting is much more
> important than any vulnerabilities exposed this way. Crackers (particularly
> automated attacks) usually just dive in, without any regard to any version
> strings. Besides, it is easy to guess (quite accurately, via something like
> nmap) what is at the other end. Hiding what you are running is an example
> of what is dismissed with the quip "Security through obscurity, isn't".
It will surprise you: I share this opinion. 

Nevertheless, it's still seems pretty common practice.

>  It
> is uniformly regarded as almost completely useless. Fix the vulnerabilities,
> don't pretend they aren't there.

I've recently read an article, claiming that most server attacks these
days would be quite simple ("Is this a win server? If yes, attack, if no
stop the attack.) because the overall amount of "easy to intrude,
wide-open, high-bandwith home-servers" would make deep crack attacks
against "real servers" less attractive.

This article also claimed that there is a market for people collecting,
validating and selling such "potentially vulnerable" addresses esp. to
spammers.

This would indicate the issue is less "not to pretend to have a bug
fixed", but to let a machine appear unattractive for being a candidate
for a deeper attack.

Now, it's up to the beholder to draw his conclusions. Is a machine
identifying as "Fedora linux i386" or "WinServer XYZ" or not providing
an id is more likely to be attacked? - I don't know.

> > Therefore many server admins use faked id-strings or don't provide this
> > kind of information.
> 
> That is detrimental to legitimate uses,
Legitimate uses should not need them at all.

>  and stops no cracker.
True. Real crackers will probe and find out.

Ralf



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]