From owner-freebsd-security  Mon Jul  9  0:26: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.thinksec.com (time.thinksec.com [193.212.248.2])
	by hub.freebsd.org (Postfix) with ESMTP id 69BF637B405
	for <security@freebsd.org>; Mon,  9 Jul 2001 00:26:06 -0700 (PDT)
	(envelope-from eivind@enigma.thinksec.com)
Received: from enigma.thinksec.com (lsl53.nsn.no [195.159.104.244])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(Client CN "enigma.thinksec.com", Issuer CN "ThinkSec CA admin" (verified OK))
	by mx1.thinksec.com (Postfix) with ESMTP
	id 594FE4816D; Mon,  9 Jul 2001 09:26:04 +0200 (CEST)
Received: by enigma.thinksec.com (Postfix, from userid 1001)
	id 80D613EB27; Mon,  9 Jul 2001 00:24:09 +0200 (CEST)
Date: Mon, 9 Jul 2001 00:24:09 +0200
From: Eivind Eklund <eivind@thinksec.no>
To: Jason Burdick <webmaster@yclan.net>
Cc: security@freebsd.org
Subject: Re: Hiding Versions
Message-ID: <20010709002409.B49349@thinksec.no>
References: <200107061929.MAA30700@user7.hushmail.com> <003801c1065e$c4724480$0c8e1581@yclan.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <003801c1065e$c4724480$0c8e1581@yclan.net>
User-Agent: Mutt/1.3.19i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, Jul 06, 2001 at 05:01:03PM -0400, Jason Burdick wrote:
> Hiding version strings is very pointless.  The only use is to let admins be
> a tad bit more lazy in patching so s'kiddies, who only look for version
> strings for exploit purposes, will pass by the box.  This doesn't stop
> someone with a clue, so it's a waste of time.  Patch the box correctly, and
> you'll have less problems.

I agree that you should patch the box correctly.  I do not agree that hiding
verison numbers is useless.  When you hide your version number, you make
it less likely that the exploit will work the first time - and if your
service is set up so the first attempt is all the attackers get (e.g,
BIND exploits) then hiding the version number increase real security.
It also increase the likelihood of detection, as a wrong exploit is likely
to be tried first, and thus log an error.

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message