Version strings [Was: Re: Smolt: Fedora Hardware Profiler]
Horst H. von Brand
vonbrand at inf.utfsm.cl
Thu Feb 1 04:05:26 UTC 2007
Ralf Corsepius <rc040203 at freenet.de> wrote:
[...]
> Many servers/service return an id-string identifying the version of a
> particular piece of SW - If this string is correct it, it provides clear
> information to which vulnerabilities it is likely to be vulnerable.
In my experience, the use of those for troubleshooting is much more
important than any vulnerabilities exposed this way. Crackers (particularly
automated attacks) usually just dive in, without any regard to any version
strings. Besides, it is easy to guess (quite accurately, via something like
nmap) what is at the other end. Hiding what you are running is an example
of what is dismissed with the quip "Security through obscurity, isn't". It
is uniformly regarded as almost completely useless. Fix the vulnerabilities,
don't pretend they aren't there.
> Therefore many server admins use faked id-strings or don't provide this
> kind of information.
That is detrimental to legitimate uses, and stops no cracker.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 2654431
Universidad Tecnica Federico Santa Maria +56 32 2654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 2797513
More information about the fedora-devel-list
mailing list