Security Incidents mailing list archives
Re: DNS Bind
From: Paul Doom <elektrosatan () VOLTAGENOIR ORG>
Date: Thu, 1 Feb 2001 11:11:00 -0600
On Thu, Feb 01, 2001 at 08:03:34AM -0800, Mark Teicher wrote:
to avoid will then create a maintenance overhead for administrative staff to go back in and change the version number back so that when one upgrades to next the version the correct updates can be applied, and then change the version number again. This can be a very tiring process for each application an administrator does this to.
Since you can set the reported version in named.conf, it doesn't require any extra work upon upgrade. Making your daemons lie about their name and/or version won't prevent and exploit attempt from succeeding, but it will reduce the chances of an attacker extracting an accurate footprint of your system. Every service you have open to the Internet should lie like a sales brochure in any banner it produces! When the latest script hits the kiddies, you don't want any of them grepping their list of scanned hosts and finding the vulnerable version of whatever is on one of your hosts.
It would be better if one is discovering updates would just expend their energy in working with software vendors to eliminate these types of bugs from the software.
Fixing problems is the important focus, without doubt! Obscurity != Security. However, you may be able to buy yourself a little time with some good ol' counter-intelligence. -Paul -- /Paul M. Hirsch / /elektrosatan () voltagenoir org/ /GPGPGPkeyID: 0xD11A250E /
Current thread:
- Re: DNS Bind jeremy () hq newdream net (Jan 31)
- <Possible follow-ups>
- Re: DNS Bind Mark Teicher (Feb 01)
- Re: DNS Bind Paul Doom (Feb 01)