On Sat, 2004-10-30 at 02:47, Ken Murchison wrote: > Security by obscurity never works. Do you really think an attacker > would be deterred by the version number that he sees? He'll probably > try his attack regardless of the version reported.
I humbly disagree. I think it depends a lot on what your goals are. I view running services on non-standard ports as being reasonable in some situations, for example, because it reduces the chances a dumb worm will find and exploit the service before I hear about and patch a hole. Similarly, hiding the banner might fool casual scanners trying to identify potentially crackable systems. It's a bit of a stretch though I think. I think relying "security through obscurity" measures would be stupidity in the extreme, but securing your server and then employing useful ones anyway seems entirely reasonable to me. Of course, whether there's any benefit or enough to justify the irritation involved depends on what you're doing, why, and what you're trying to protect against - but that's always the case really. I've never considered suppressing banners worth the effort myself. -- Craig Ringer --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
