On Wednesday 01 October 2003 01:11, D. Rick Anderson wrote:
I don't believe in relying on security-through-obscurity...
I couldn't agree more, but it shows up as a 'warning' in Nessus, and my boss wants it cleared up. I don't intend to 'rely' on that, but why give some dough-head out there more information than you have to? I've done it to our servers that ARE running apache with:
ServerTokens Prod
and then all they return is "Apache" without any versioning info, and if you set:
expose_php = Off
in your /etc/php.ini it won't barf out all of your PHP version information either. I just want to know how to do it in Zope.
Thanks,
Rick
Actually this is useful: if you have a proxy in front of Zope and it passes the headers through unchanged any attacker will try to attack Zope rather than the proxy. Of course, it won't work. This is a bit of "security through obscurity", but any little bit helps. In the Pound logs we see every day quite a few nasty attempt against IIS servers which fail because Pound rejects them... So I suggest you try this tack with your boss - it may even sound "sophisticated" and "tricky" enough for him. If it doesn't help try some "based on this in-depth analysis of the current security threat level, I feel that an indirect approach to the solution may enhance our proactive stance". Shareholder value? Due dilligence? Multi-cultural? -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904