Version strings [Was: Re: Smolt: Fedora Hardware Profiler]

Thu Feb 1 15:03:35 UTC 2007

Ralf Corsepius <rc040203 at freenet.de> wrote:
> On Thu, 2007-02-01 at 01:05 -0300, Horst H. von Brand wrote:
> > Ralf Corsepius <rc040203 at freenet.de> wrote:
> > 
> > [...]
> > 
> > > Many servers/service return an id-string identifying the version of a
> > > particular piece of SW - If this string is correct it, it provides clear
> > > information to which vulnerabilities it is likely to be vulnerable.
> > 
> > In my experience, the use of those for troubleshooting is much more
> > important than any vulnerabilities exposed this way. Crackers (particularly
> > automated attacks) usually just dive in, without any regard to any version
> > strings. Besides, it is easy to guess (quite accurately, via something like
> > nmap) what is at the other end. Hiding what you are running is an example
> > of what is dismissed with the quip "Security through obscurity, isn't".

> It will surprise you: I share this opinion. 

> Nevertheless, it's still seems pretty common practice.

Yes, as the saying here goes, if dumb people could fly, you'd never see the
sun.

> >  It
> > is uniformly regarded as almost completely useless. Fix the vulnerabilities,
> > don't pretend they aren't there.

> I've recently read an article, claiming that most server attacks these
> days would be quite simple ("Is this a win server? If yes, attack, if no
> stop the attack.) because the overall amount of "easy to intrude,
> wide-open, high-bandwith home-servers" would make deep crack attacks
> against "real servers" less attractive.

Why? Most attacks go after "easy targets" (obviously), mostly because they
are after numbers of anonymous machines, not particular machines. And the
most realiable way to find out if something is an crackable target or not
is just to try the attack.  Fell for one recently, on rawhide PAM got
broken and random passwords worked against disabled accounts. Hole lasted
less than a day, but "just try stupid passwords against common account
names over SSH" got them into an otherwise well protected machine. Crackers
have almost unlimited computing power at their disposal (other cracked
machines by the score), so careful scouting before a planned attack isn't
needed at all.

That doesn't mean deep attacks aren't going on, but they are much less
visible overall (because they are few in between, better planed (and thus
less easy to detect), and many targets have a high embarrasment factor to
booth).

> This article also claimed that there is a market for people collecting,
> validating and selling such "potentially vulnerable" addresses esp. to
> spammers.

Sure thing.

> This would indicate the issue is less "not to pretend to have a bug
> fixed", but to let a machine appear unattractive for being a candidate
> for a deeper attack.

> Now, it's up to the beholder to draw his conclusions. Is a machine
> identifying as "Fedora linux i386" or "WinServer XYZ" or not providing
> an id is more likely to be attacked? - I don't know.

I'd guess it makes very little difference.

> > > Therefore many server admins use faked id-strings or don't provide this
> > > kind of information.

> > That is detrimental to legitimate uses,

> Legitimate uses should not need them at all.

They do. Why doesn't that MTA blackhole mail from here? Oh, yet another
badly configured Trend Micro anti-spam thingie. Grelisting stops all mail
from some.site.org? An Exchange who hasn't got a clue about 400 error
messages. Those are just two recent examples here. Yes, standards are
terrific, but next to nobody implements them correctly, and knowing what
you are talking to goes a long way to finding out why things break.

> >  and stops no cracker.

> True. Real crackers will probe and find out.

Or just dive in just in case.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                    Fono: +56 32 2654431
Universidad Tecnica Federico Santa Maria             +56 32 2654239
Casilla 110-V, Valparaiso, Chile               Fax:  +56 32 2797513