On Thu, 2007-02-01 at 01:05 -0300, Horst H. von Brand wrote:
Ralf Corsepius rc040203@freenet.de wrote:
[...]
Many servers/service return an id-string identifying the version of a particular piece of SW - If this string is correct it, it provides clear information to which vulnerabilities it is likely to be vulnerable.
In my experience, the use of those for troubleshooting is much more important than any vulnerabilities exposed this way. Crackers (particularly automated attacks) usually just dive in, without any regard to any version strings. Besides, it is easy to guess (quite accurately, via something like nmap) what is at the other end. Hiding what you are running is an example of what is dismissed with the quip "Security through obscurity, isn't".
It will surprise you: I share this opinion.
Nevertheless, it's still seems pretty common practice.
It is uniformly regarded as almost completely useless. Fix the vulnerabilities, don't pretend they aren't there.
I've recently read an article, claiming that most server attacks these days would be quite simple ("Is this a win server? If yes, attack, if no stop the attack.) because the overall amount of "easy to intrude, wide-open, high-bandwith home-servers" would make deep crack attacks against "real servers" less attractive.
This article also claimed that there is a market for people collecting, validating and selling such "potentially vulnerable" addresses esp. to spammers.
This would indicate the issue is less "not to pretend to have a bug fixed", but to let a machine appear unattractive for being a candidate for a deeper attack.
Now, it's up to the beholder to draw his conclusions. Is a machine identifying as "Fedora linux i386" or "WinServer XYZ" or not providing an id is more likely to be attacked? - I don't know.
Therefore many server admins use faked id-strings or don't provide this kind of information.
That is detrimental to legitimate uses,
Legitimate uses should not need them at all.
and stops no cracker.
True. Real crackers will probe and find out.
Ralf