You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Brian Dessent <br...@dessent.net> on 2003/11/18 12:52:58 UTC
Re: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80 - the old
ServerSignature debate...
Rafael Faura wrote:
> way to do it. Your scenario is a bit.. mmm, non-sense, none good admin will
> say that, lol.
Uhhh, what? Your view is definitely in the minority of clueful
administrators if you ask me. See also "security by obscurity."
> "If you run a vulnerable version you'll be hacked", ok, but you'll be hacked
> faster if you shows to everybody your version, right? (at least let that
If something's listening on port 80, it's eventually going to have a
test-exploit sent to it, regardless of what it's reporting to the
world. And these days with backporting being common, the reported
version is of little use to the attacker anyway. "This server says
2.0.40, is this an ancient unpatched version of Apache, or has this guy
been running his Redhat up2date? I don't know, guess I'll just have to
test every server on port 80 I come upon."
> version, hehe >:)). Anyway, the first post of this series was related with a
> user that wants to hide it's apache version from server error pages... Of
> course he was asking only that, he didn't ask: "hey, i want to completely
> secure and protect my Apache server!!!", that's another story ;).
Yes, his request was very simple and easy to fill. It was the unwritten
implication that this was under the guise of security that caused the
repliers to mention this fact, that it has no benefit. That it went
challenged just goes to show that it's a common misconception and thus
the responses in this thread have served a useful purpose.
> Btw, changing TWO words on httpd.conf ('prod' and 'off' don't seem to me a
> enormous waste of time) and i don't think that somebody will ignore an
> important apache upgrade by the fact that they changed serversignature or
> servertokens ...
Sure it's easy to do. So would be me taping a sign to my front door
that read "There is no TV in this house." Do you think that would have
any affect on a burglar's likelyhood to leave, having come upon my house
in search of a TV to steal? Especially if he noticed that indeed there
was a TV when he glanced in the window earlier...
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80 - the old ServerSignature debate...
Posted by Rafael Faura <rf...@bassy.net>.
Well, i think that the original answer is asked and all of us know that
changing ServerSignature and ServerTokens doesn't *boost* your
security/protection in an Apache environment (i think that this statement
was obvious because in no place you will find a phrase that says: "if you
want to protect and secure your Apache server you only need to change
ServerSignature and ServerTokens; don't worry about upgrades, if a hacker
can't see which version you're running through error pages he can't hurt
you" ...).
Anyway i'm glad of participate in such debates, anf of course in an educated
manner like this :)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org