 | | | Banners | Banners 2002-05-08 - By Jason Montleon
Back
Why does RedHat display version levels of programs in banners in their
default configurations. I hate seeing apache, postfix, and wu-ftpd spewing
out the program I 'm using, and the version of that program.
Wouldn 't it be (far) better in most cases to limit this information within
the default configuration files, such that nothing more than is necessary
(like in most cases none) is given? I realize that hiding this information
does not inherantly make a system more secure, but if you can get it down to
where someone can 't tell whether you are running Exchange and IIS on NT or
2K, or Apache on BSD, or Apache on Slackware vs. RedHat, well you get the
idea. It does make the hackers job more difficult. They can try and attack
with code they gleaned from nimda and waste their time all they want for all
I 'm concerned. Not only that, but when someone does a port scan after a big
new bug in wu-ftpd x.xx.whatever is discovered it may be enough that the
version isn 't included that they leave me alone long enough to shut it down
and/or patch it when the fix comes out.
Advertising the exact versions is just about as bad as advertising your
security vulnerabilities. In conjunction with good administrative habits
(like staying on the rhn list and updating when a flaw is found) and good
firewalling I think that it does make a solid defense.
Jason
|
|
|