[Zope] Banner Grabbing
Robert Segall
roseg at apsis.ch
Tue Sep 30 20:41:11 EDT 2003
On Wednesday 01 October 2003 01:11, D. Rick Anderson wrote:
> > I don't believe in relying on security-through-obscurity...
>
> I couldn't agree more, but it shows up as a 'warning' in Nessus, and my
> boss wants it cleared up. I don't intend to 'rely' on that, but why give
> some dough-head out there more information than you have to? I've done
> it to our servers that ARE running apache with:
>
> ServerTokens Prod
>
> and then all they return is "Apache" without any versioning info, and if
> you set:
>
> expose_php = Off
>
> in your /etc/php.ini it won't barf out all of your PHP version
> information either. I just want to know how to do it in Zope.
>
> Thanks,
>
> Rick
Actually this is useful: if you have a proxy in front of Zope and it passes
the headers through unchanged any attacker will try to attack Zope rather
than the proxy. Of course, it won't work.
This is a bit of "security through obscurity", but any little bit helps. In
the Pound logs we see every day quite a few nasty attempt against IIS servers
which fail because Pound rejects them...
So I suggest you try this tack with your boss - it may even sound
"sophisticated" and "tricky" enough for him. If it doesn't help try some
"based on this in-depth analysis of the current security threat level, I feel
that an indirect approach to the solution may enhance our proactive stance".
Shareholder value? Due dilligence? Multi-cultural?
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904
More information about the Zope
mailing list