And where would one find the source for this information in the Zope source code? Shane On Wed, 05 Jan 2005 07:28:56 +0100, Andreas Jung <lists@andreas-jung.com> wrote:
--On Mittwoch, 5. Januar 2005 1:22 Uhr -0500 Shane Graber <sgraber@gmail.com> wrote:
Is it possible to hide the header that Zope advertises?
Currently, Zope is advertising "Server: Zope/(Zope 2.7.3-0, python 2.3.4, linux2) ZServer/1.1 Plone/2.0.5", that is forwarded as is by Apache.
I know that apache can be set to hide its current version. It would be nice if we could do the same with Zope. Is this possible? Where/how do we do it?
Likely by hacking the sources.
-aj
On Wed, 2005-01-05 at 08:35 -0500, Shane Graber wrote:
On Wed, 05 Jan 2005 07:28:56 +0100, Andreas Jung <lists@andreas-jung.com> wrote:
--On Mittwoch, 5. Januar 2005 1:22 Uhr -0500 Shane Graber <sgraber@gmail.com> wrote:
Is it possible to hide the header that Zope advertises?
Currently, Zope is advertising "Server: Zope/(Zope 2.7.3-0, python 2.3.4, linux2) ZServer/1.1 Plone/2.0.5", that is forwarded as is by Apache.
I know that apache can be set to hide its current version. It would be nice if we could do the same with Zope. Is this possible? Where/how do we do it?
Likely by hacking the sources.
And where would one find the source for this information in the Zope source code?
Shane
You could use apaches mod_header to filter that Header or grep the source of zope. Btw. what do you think you gain if you hide that information? Regards Tino
Added security -- same reason why you can setup Apache to not broadcast what version it is. There's no reason to broadcast what versions of software we're running. Shane On Wed, 05 Jan 2005 15:07:25 +0100, Tino Wildenhain <tino@wildenhain.de> wrote:
On Wed, 2005-01-05 at 08:35 -0500, Shane Graber wrote:
Btw. what do you think you gain if you hide that information?
Regards Tino
State Auditors require it here. ;-) Tom ps: haven't done it yet but might now with these replies, thanks. On Wed, 2005-01-05 at 09:31, Shane Graber wrote:
Added security -- same reason why you can setup Apache to not broadcast what version it is. There's no reason to broadcast what versions of software we're running.
Shane
On Wed, 05 Jan 2005 15:07:25 +0100, Tino Wildenhain <tino@wildenhain.de> wrote:
On Wed, 2005-01-05 at 08:35 -0500, Shane Graber wrote:
Btw. what do you think you gain if you hide that information?
Regards Tino
Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Jan 5, 2005, at 15:31, Shane Graber wrote:
Added security -- same reason why you can setup Apache to not broadcast what version it is. There's no reason to broadcast what versions of software we're running.
Shane
On Wed, 05 Jan 2005 15:07:25 +0100, Tino Wildenhain <tino@wildenhain.de> wrote:
On Wed, 2005-01-05 at 08:35 -0500, Shane Graber wrote:
Btw. what do you think you gain if you hide that information?
Ah, yes, the Micro$haft kind of security... hehe. Sorry, "security by obscurity" will not make your system any more secure. Don't delude yourself. jens --------------- Jens Vagelpohl jens@zetwork.com Software Engineer +49-(0)441-36 18 14 38 Zetwork GmbH http://www.zetwork.com/
+-------[ Jens Vagelpohl ]---------------------- | | On Jan 5, 2005, at 15:31, Shane Graber wrote: | | >Added security -- same reason why you can setup Apache to not | >broadcast what version it is. There's no reason to broadcast what | >versions of software we're running. | > | >Shane | > | > | >On Wed, 05 Jan 2005 15:07:25 +0100, Tino Wildenhain | ><tino@wildenhain.de> wrote: | >>On Wed, 2005-01-05 at 08:35 -0500, Shane Graber wrote: | >> | >>Btw. what do you think you gain if you hide that information? | | Ah, yes, the Micro$haft kind of security... hehe. | | Sorry, "security by obscurity" will not make your system any more | secure. Don't delude yourself. It's not the same as posting a sign saying that your door is unlocked. -- Andrew Milton akm@theinternet.com.au
| Sorry, "security by obscurity" will not make your system any more | secure. Don't delude yourself.
It's not the same as posting a sign saying that your door is unlocked.
But that doesn't matter one bit. If there is *a door* exploits will be run against it - simply because a lot of them are automated and it's quick and easy to do so. If the exploit software exploits software X and the exploit mechanism finds out that software X is on the system it is looking at then it will try the exploit. No matter what version strings say. The script kiddies are dumb, but not that dumb. jens --------------- Jens Vagelpohl jens@zetwork.com Software Engineer +49-(0)441-36 18 14 38 Zetwork GmbH http://www.zetwork.com/
On Thu, 2005-01-06 at 01:48 +1100, Andrew Milton wrote:
+-------[ Jens Vagelpohl ]---------------------- | | On Jan 5, 2005, at 15:31, Shane Graber wrote: | | >Added security -- same reason why you can setup Apache to not | >broadcast what version it is. There's no reason to broadcast what | >versions of software we're running. | > | >Shane | > | > | >On Wed, 05 Jan 2005 15:07:25 +0100, Tino Wildenhain | ><tino@wildenhain.de> wrote: | >>On Wed, 2005-01-05 at 08:35 -0500, Shane Graber wrote: | >> | >>Btw. what do you think you gain if you hide that information? | | Ah, yes, the Micro$haft kind of security... hehe. | | Sorry, "security by obscurity" will not make your system any more | secure. Don't delude yourself.
It's not the same as posting a sign saying that your door is unlocked.
Err. seriously, where is a Zope door unlocked? I mean, every visitor can find out with little effort if its zope running or something else. And Zope is probably one of the most secure web application solutions you could get. (Sure you can drill holes in it if you try really hard as zope admin :-) But out-of-the-box its really secure. Name any exploit you know. Regards Tino
Name any exploit you know.
Regards Tino
I don't know of any off the top of my head, but that's not to say that there isn't one out there that could explot zope in some way from its header info. We're just trying to be proactive about things, thus my question. Shane
On Wed, 2005-01-05 at 09:31 -0500, Shane Graber wrote:
Added security -- same reason why you can setup Apache to not broadcast what version it is. There's no reason to broadcast what versions of software we're running.
Why not? Its nice for statistics. Unlike Apache, you have no access to filesystem or other internals of the host via Zope. I bet you have more potential insecure services on the average server box. Mail for example... Regards Tino
Yes, but that's no reason why not to lock down other items as well. Shane On Wed, 05 Jan 2005 15:47:44 +0100, Tino Wildenhain <tino@wildenhain.de> wrote:
Why not? Its nice for statistics. Unlike Apache, you have no access to filesystem or other internals of the host via Zope.
I bet you have more potential insecure services on the average server box. Mail for example...
Regards Tino
On Wed, 2005-01-05 at 09:55 -0500, Shane Graber wrote:
Yes, but that's no reason why not to lock down other items as well.
Paint a door just in a different color does not really mean you locked it. PS: if you follow some mailinglists, do you see a pattern how people quote emails? No? Well. ok ... ;) Regards Tino
+-------[ Tino Wildenhain ]---------------------- | On Wed, 2005-01-05 at 09:55 -0500, Shane Graber wrote: | > Yes, but that's no reason why not to lock down other items as well. | | Paint a door just in a different color does not really mean you locked | it. Noone is saying, don't lock it. Noone is saying that removing version numbers is a solution by itself. But it certainly ADDS something. If it didn't there wouldn't be such an effort to prevent OS types and versions from being decoded by passive scanning. -- Andrew Milton akm@theinternet.com.au
On Thu, 2005-01-06 at 02:11 +1100, Andrew Milton wrote:
+-------[ Tino Wildenhain ]---------------------- | On Wed, 2005-01-05 at 09:55 -0500, Shane Graber wrote: | > Yes, but that's no reason why not to lock down other items as well. | | Paint a door just in a different color does not really mean you locked | it.
Noone is saying, don't lock it. Noone is saying that removing version numbers is a solution by itself. But it certainly ADDS something.
If it didn't there wouldn't be such an effort to prevent OS types and versions from being decoded by passive scanning.
Hm. most of the time - and in this case - its just overkill. The only real gain I see is you save some bytes to transfer over the web. Attackers choose the simplest way to get in - and a running zope just is not. So better spent the time in making all that other services even close to the secureness of zope. Next you can think about hiding the version number. Just my thinking :-) Regards Tino
+-------[ Tino Wildenhain ]---------------------- | On Thu, 2005-01-06 at 02:11 +1100, Andrew Milton wrote: | > +-------[ Tino Wildenhain ]---------------------- | > | On Wed, 2005-01-05 at 09:55 -0500, Shane Graber wrote: | > | > Yes, but that's no reason why not to lock down other items as well. | > | | > | Paint a door just in a different color does not really mean you locked | > | it. | > | > Noone is saying, don't lock it. Noone is saying that removing version numbers | > is a solution by itself. But it certainly ADDS something. | > | > If it didn't there wouldn't be such an effort to prevent OS types and versions | > from being decoded by passive scanning. | Attackers choose the simplest way to get in - and a running zope | just is not. So better spent the time in making all that other | services even close to the secureness of zope. Next you can think | about hiding the version number. Are you volunteering to go around to all the authors of all the products listed on the Downloads pages of zope.org (with or without a bat)? d8) -- Andrew Milton akm@theinternet.com.au
participants (6)
-
Andreas Jung -
Andrew Milton -
Jens Vagelpohl -
Shane Graber -
Thomas Bennett -
Tino Wildenhain