Version strings [Was: Re: Smolt: Fedora Hardware Profiler]
Ralf Corsepius
rc040203 at freenet.de
Thu Feb 1 05:00:58 UTC 2007
On Thu, 2007-02-01 at 01:05 -0300, Horst H. von Brand wrote:
> Ralf Corsepius <rc040203 at freenet.de> wrote:
>
> [...]
>
> > Many servers/service return an id-string identifying the version of a
> > particular piece of SW - If this string is correct it, it provides clear
> > information to which vulnerabilities it is likely to be vulnerable.
>
> In my experience, the use of those for troubleshooting is much more
> important than any vulnerabilities exposed this way. Crackers (particularly
> automated attacks) usually just dive in, without any regard to any version
> strings. Besides, it is easy to guess (quite accurately, via something like
> nmap) what is at the other end. Hiding what you are running is an example
> of what is dismissed with the quip "Security through obscurity, isn't".
It will surprise you: I share this opinion.
Nevertheless, it's still seems pretty common practice.
> It
> is uniformly regarded as almost completely useless. Fix the vulnerabilities,
> don't pretend they aren't there.
I've recently read an article, claiming that most server attacks these
days would be quite simple ("Is this a win server? If yes, attack, if no
stop the attack.) because the overall amount of "easy to intrude,
wide-open, high-bandwith home-servers" would make deep crack attacks
against "real servers" less attractive.
This article also claimed that there is a market for people collecting,
validating and selling such "potentially vulnerable" addresses esp. to
spammers.
This would indicate the issue is less "not to pretend to have a bug
fixed", but to let a machine appear unattractive for being a candidate
for a deeper attack.
Now, it's up to the beholder to draw his conclusions. Is a machine
identifying as "Fedora linux i386" or "WinServer XYZ" or not providing
an id is more likely to be attacked? - I don't know.
> > Therefore many server admins use faked id-strings or don't provide this
> > kind of information.
>
> That is detrimental to legitimate uses,
Legitimate uses should not need them at all.
> and stops no cracker.
True. Real crackers will probe and find out.
Ralf
More information about the fedora-devel-list
mailing list