OK using your logic I will deduce that since anything on a network can be hacked into I should not attempt to take any security precautions. Security is applied in layers and the more layers the better. My question was not intended to start a thread regarding security practices as that is not the design of this list. We should drop it. I asked a question and got an answer.
At 01:59 PM 4/2/2002 -0600, Jim Levie wrote: >On Tue, 2002-04-02 at 13:26, Ken Murchison wrote: > > > > > > Clifford Thurber wrote: > > > > > > Ken I am just interested in suppresing platform/version information when > > > someone telnet to port 143. Just one more layer of security. > > > > But by doing this, you're implying that there is a security hole in the > > Cyrus server which can be exploited if the hacker discovers the > > vendor/version info. Is there some known security hole in Cyrus that > > isn't in other servers. Even if there is, I don't think that the lack > > of info in the banner is going to stop a hacker from trying the exploit > > anyway. Furthermore, a good hacker intent on finding Cyrus servers > > could also detect them by look for known response strings from commands, > > etc. > > >Ah yes, the old "security through obscurity" game. From what I've seen >eliminating the server type and version has no affect on whether a >cracker can exploit any weakness that an application has. And that's >because the vast majority of attacks aren't done in what one would >consider an intelligent manner. The attacker doesn't examine services to >figure out if they are vulnerable or not. He/she simply runs a script >that attempts to exploit all known vulnerabilities. So hiding the fact >that you are running a certain version of Sendmail, or Cyrus, or >whatever doesn't generally help. The attack scripts that I've recovered >from cracked boxes (that were then used to try to crack other boxes) >just had a big list of things to try. >-- >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > Jim Levie email: >[EMAIL PROTECTED] > Dynetics Inc, Huntsville, Al Ph. 256.964.4337 > The opinions expressed above are just that...
