[Dshield] Apache version

Timm, Kevin TimmK at netsolve.net
Mon Jul 7 16:14:48 GMT 2003

It's fairly easy to tell the different web servers without the banner ....
for example do a request for something.asa on a windows it should give a 500
code where apache will give 404 not found. There are several idosyncrosies
like that that make detrmining the versions fairly simple.


-----Original Message-----
From: Johannes Ullrich [mailto:jullrich at euclidian.com]
Sent: Monday, July 07, 2003 10:34 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Apache version

On Mon, 2003-07-07 at 11:19, Kenton Smith wrote:
> I think telling someone *not* to do this is a little inaccurate.

Agreed. Obscurity is not security, but should be part of the overall
concept. Think about passwords ;-). Essentially, a good password is
"security by obscurity".

Hiding the detailed server version may not prevent a hack, but it
makes it harder, and likely more noisy. If the attack is more complex
and noisy, it is more likely that you will be able to intercept it.

Also consider that security is very much an exercise in the '80/20'
rule. Very little effect can prevent a large number of attacks. 
Hiding your server version is one thing you can do that is very simple
and can prevent a good number of automated attacks. 

However, hiding a server version should not substitute for keeping the
server up to date.

> >
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list