Re: DNS Bind

[Paul Doom <elektrosatan () VOLTAGENOIR ORG>]

On Thu, Feb 01, 2001 at 08:03:34AM -0800, Mark Teicher wrote:
> to avoid will then create a maintenance overhead for administrative staff
> to go back in and change the version number back so that when one upgrades
> to next the version the correct updates can be applied, and then change the
> version number again.  This can be a very tiring process for each
> application an administrator does this to.

Since you can set the reported version in named.conf, it doesn't require
any extra work upon upgrade.  Making your daemons lie about their name
and/or version won't prevent and exploit attempt from succeeding, but it
will reduce the chances of an attacker extracting an accurate footprint of
your system.  Every service you have open to the Internet should lie like
a sales brochure in any banner it produces!  When the latest script hits the
kiddies, you don't want any of them grepping their list of scanned hosts and
finding the vulnerable version of whatever is on one of your hosts.

> It would be better if one is discovering updates would just expend their
> energy in working with software vendors to eliminate these types of bugs
> from the software.

Fixing problems is the important focus, without doubt!
Obscurity != Security.  However, you may be able to buy
yourself a little time with some good ol' counter-intelligence.

-Paul

--
/Paul M. Hirsch              /
/elektrosatan () voltagenoir org/
/GPGPGPkeyID: 0xD11A250E     /