Ralf Corsepius rc040203@freenet.de wrote:
On Thu, 2007-02-01 at 01:05 -0300, Horst H. von Brand wrote:
Ralf Corsepius rc040203@freenet.de wrote:
[...]
Many servers/service return an id-string identifying the version of a particular piece of SW - If this string is correct it, it provides clear information to which vulnerabilities it is likely to be vulnerable.
In my experience, the use of those for troubleshooting is much more important than any vulnerabilities exposed this way. Crackers (particularly automated attacks) usually just dive in, without any regard to any version strings. Besides, it is easy to guess (quite accurately, via something like nmap) what is at the other end. Hiding what you are running is an example of what is dismissed with the quip "Security through obscurity, isn't".
It will surprise you: I share this opinion.
Nevertheless, it's still seems pretty common practice.
Yes, as the saying here goes, if dumb people could fly, you'd never see the sun.
It is uniformly regarded as almost completely useless. Fix the vulnerabilities, don't pretend they aren't there.
I've recently read an article, claiming that most server attacks these days would be quite simple ("Is this a win server? If yes, attack, if no stop the attack.) because the overall amount of "easy to intrude, wide-open, high-bandwith home-servers" would make deep crack attacks against "real servers" less attractive.
Why? Most attacks go after "easy targets" (obviously), mostly because they are after numbers of anonymous machines, not particular machines. And the most realiable way to find out if something is an crackable target or not is just to try the attack. Fell for one recently, on rawhide PAM got broken and random passwords worked against disabled accounts. Hole lasted less than a day, but "just try stupid passwords against common account names over SSH" got them into an otherwise well protected machine. Crackers have almost unlimited computing power at their disposal (other cracked machines by the score), so careful scouting before a planned attack isn't needed at all.
That doesn't mean deep attacks aren't going on, but they are much less visible overall (because they are few in between, better planed (and thus less easy to detect), and many targets have a high embarrasment factor to booth).
This article also claimed that there is a market for people collecting, validating and selling such "potentially vulnerable" addresses esp. to spammers.
Sure thing.
This would indicate the issue is less "not to pretend to have a bug fixed", but to let a machine appear unattractive for being a candidate for a deeper attack.
Now, it's up to the beholder to draw his conclusions. Is a machine identifying as "Fedora linux i386" or "WinServer XYZ" or not providing an id is more likely to be attacked? - I don't know.
I'd guess it makes very little difference.
Therefore many server admins use faked id-strings or don't provide this kind of information.
That is detrimental to legitimate uses,
Legitimate uses should not need them at all.
They do. Why doesn't that MTA blackhole mail from here? Oh, yet another badly configured Trend Micro anti-spam thingie. Grelisting stops all mail from some.site.org? An Exchange who hasn't got a clue about 400 error messages. Those are just two recent examples here. Yes, standards are terrific, but next to nobody implements them correctly, and knowing what you are talking to goes a long way to finding out why things break.
and stops no cracker.
True. Real crackers will probe and find out.
Or just dive in just in case.