Ralf Corsepius rc040203@freenet.de wrote:
[...]
Many servers/service return an id-string identifying the version of a particular piece of SW - If this string is correct it, it provides clear information to which vulnerabilities it is likely to be vulnerable.
In my experience, the use of those for troubleshooting is much more important than any vulnerabilities exposed this way. Crackers (particularly automated attacks) usually just dive in, without any regard to any version strings. Besides, it is easy to guess (quite accurately, via something like nmap) what is at the other end. Hiding what you are running is an example of what is dismissed with the quip "Security through obscurity, isn't". It is uniformly regarded as almost completely useless. Fix the vulnerabilities, don't pretend they aren't there.
Therefore many server admins use faked id-strings or don't provide this kind of information.
That is detrimental to legitimate uses, and stops no cracker.