From owner-freebsd-security Sat Nov 28 13:35:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA16639 for freebsd-security-outgoing; Sat, 28 Nov 1998 13:35:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA16633 for ; Sat, 28 Nov 1998 13:35:53 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id QAA03041; Sat, 28 Nov 1998 16:35:27 -0500 (EST) Date: Sat, 28 Nov 1998 16:35:27 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: CyberPsychotic cc: freebsd-security@FreeBSD.ORG Subject: Re: Detecting remote host type and so on.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 28 Nov 1998, CyberPsychotic wrote: > Hello people, > This is probably abit offtopic, but anyway, That is not good when someone > could figure out what platform you're running your Apache on. Recently I > checked site http://www.netcraft.com which could tell you what server and > on what platform you're running. They don't provide source for the code, > so I just put my sniffer on, and pushed the button (they have webform) to > see what that will do. All that box did, was a connection to my 80 port > and issuing command HEAD / HTTP/1.0. All what comes for responce is: As far as I can tell, it is almost impossible to disguise the operating system that you are running. Most platforms display distinctive banners, have quirks in their IP implementation, or just made different design choices that may be distinguished remotely (for example, choices about timeouts, fragmentation issues, etc). While you can attempt to hide the platform by disabling as many services as possible, removing banners, and hiding behind a firewall that reformats packets and connections, there is really not a whole lot to do. I find leaving the information there is often more useful than not -- attempting to exploit a bug doesn't require knowledge of the OS/version (try all versions you have an exploit for :), but having the version information there can be useful in debugging interoperability problems. Sort of like having the sendmail version there -- makes it easier to debug problems, and lets you use wholesale network scanners to find old versions; but for someone to try to exploit a bug they just try it out. If you care a whole bunch, it could probably be cleaned up a bit, but I'm not sure its worth the trouble. If you think the server says too much, look at what your average WWW browser spews to the server :). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message