Date: Tue, 27 Mar 2001 22:24:28 -0600 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <4.3.2.20010327215647.02842490@207.227.119.2> In-Reply-To: <20010327194550.A20633@pir.net> References: <4.3.2.20010327173917.02803ae0@207.227.119.2> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <Pine.NEB.3.96L.1010326205118.81313D-100000@fledge.watson.org> <p05010404b6e5bb325d3c@[128.113.24.47]> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <p05010407b6e693b73e7c@[128.113.24.47]> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327173454.J12888@pir.net> <4.3.2.20010327173917.02803ae0@207.227.119.2>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:45 PM 3/27/01 -0500, Peter Radcliffe wrote: >"Jeffrey J. Mountin" <jeff-ml@mountin.net> probably said: > > Argh, this can go on and on... > >Which shows there are two distinct opinions here, and both should >be allowed for. True and for my last points on this.... >The bind servers on my work class B that don't give out version >numbers have NEVER been attacked. The scans for version.bind ignore >them. The recent bind vunerabilities were well known before there was >an available fix, and my not handing out version numbers meant the >machine was not attacked before the fixes were available. Does it even announce that it is BIND. If not then the reason might be due to them thinking it isn't BIND. > > Better to spend time limiting the loss should the house be broken into > than > > hiding the fact there is a house there. > >You can't fight what you don't know. Not all vunerabilities are known >or have fixes. Was thinking more about how you internally configure the server and internal network. As you mention BIND, there are 3 ways to run it. Was thinking more along the lines of limiting the scope of a compromise. > > Obscurity is a waste of time for little benefit IMO. > >When it takes little effort and helps in some situations, I disagree >with you. In the long term, should there be a global switch to turn off version announcements for all system daemons, what are the chances that scanning tools will evolve and realize that a system not printing out versions must be at least this version. They will then just have to try everything. More so as time goes by and vulnerabilities are uncovered. Then all the effort put into such a change matters not anymore. Which reinforces the idea that the individual should be doing the work for obscurity. Otherwise once the feature is there and it is use is more common, then it's effectiveness as a security measure is inversely as good as the will of the attacker or the tools used. Large effort for a short time gain. Robert at least mentioned the first part. The second might have a different outcome.... "Hmmm... this a FBSD system, let's just move on and find some M$ system." You could say we are betting on different outcomes. 8-) Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20010327215647.02842490>