Greg A. Woods wrote:
[ On Thursday, June 16, 2005 at 14:23:04 (-0700), Philip Edelbrock wrote: ]
Subject: Re: Changing the IMAP server's banner -- does one still need to
patch the source?
[...]
Fix the bugs (or don't run the service) -- don't just pretend to hide
them, because you cannot.
Just for the record, I didn't see this part of the subject line until
just now: " -- Does one still need to patch the source?" It got cut off
on my screen! But I see it now that it's been quoted in the last email. ='o
Of course, you need to fix bugs/vulnerabilies as you find them! Sorry
if it seemed like I didn't support that. My interjection into the
thread was that it might be useful to supress the version tag on the
public port. We do that here at my company for anything which gives the
option for it (for things like Apache and such). We don't, of course
ignore or supress the version information for our selves, lol! And we
don't use it as an excuse to avoid updates. It's just a little extra
cheap insurance.
We've had some compromises here (*blush*), including the receint PHPBB2
worm which uses Google to find the html footer of PHPBB2 sites which
publish the version. Had the version been supressed, it would have been
a case where it would at least bought us some time to do updates. And,
I noticed, that PHPBB2 now does not publish the version in the footer by
default anymore.
From my general experience as a lead IT guy for a web development
company for 7+ years, you're more likely to be a random victim of a hack
that uses your server as a zombie for spamming. Sort of like a theif
roaming the parking lot looking for an easy target.
We haven't been a victim of a targetted attack (cross my fingers!), but
if we were... I'm imagining that it wouldn't be fun, even when
completely up to date on everything!
Anyways, sorry for the misunderstanding. :')
Phil
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
