2 minutes
Don’t hide
Somehow I feared that I wouldn’t be able to make a posting out of this topic, since it’s hard to give arguments for not doing something. In this case not hiding information. Recently, I’ve heard someone asking how to hide the version numbers of the daemons he’d set up on his server. His fear was, that once the information about the software he deploys gets public, “malicious hackers” would be able to use special exploits (hand made) for these versions. I didn’t wanted to get involved in this discussion, but I’m nevertheless sure he missed the point of hiding those version information. Usually, if you don’t work for a high-profile company, your servers won’t be attacked on purpose. Hence the motivation is a general interest in exploiting a vulnerability (for whatever purpose it may be). But such assaults are too tedious to do them “by hand” on a bunch of machines which have to be found in the first place. Therefore those attacks are all automated and for the sake of being effective (read: efficient) every implemented exploit is tested against every possible target. Again, the goal of those missions is to find an arbitrary exploitable system, not a special one. And usually, the automated tests don’t give a whim on the version string returned from the applications. At best, the search order is adapted. On the other hand, hiding the version strings just annoys your users. Especially, if they want something version-specific. So, either they have to ask you or they risk that they break something. Don’t be ashamed to tell what software you’ve got!