Comments on: Make sure you hide your Apache headers!! http://www.graysunderground.com/2008/02/08/make-sure-you-hide-your-apache-headers/ Gray's Tech Blog Wed, 20 Aug 2008 07:09:40 +0000 http://wordpress.org/?v=2.1.3 By: Experienced http://www.graysunderground.com/2008/02/08/make-sure-you-hide-your-apache-headers/#comment-1346 Experienced Thu, 22 May 2008 23:15:47 +0000 http://www.graysunderground.com/2008/02/08/make-sure-you-hide-your-apache-headers/#comment-1346 Sorry. Servertokens have nothing to do with security. If one fails to keep their software and OS current and does not correct unpatched vulnerabilities themselves, then THAT is a security problem. Attempting to hide out of date software will do nothing to prevent hacking attempts/successes. I have left Apache running on Windows with full servertokens on busy websites for many years, not hacked once. Yes windows, no firewall, wide open on the internet, never hacked. Why? Because I don't fall for all the crap that most people do. I can do the same on QNX, FreeBSD, Slackware, VxWorks... etc... etc... I hate to say it as it is so trite, but here it is: Security through obscurity does not work. Period. Sorry. Servertokens have nothing to do with security. If one fails to keep their software and OS current and does not correct unpatched vulnerabilities themselves, then THAT is a security problem. Attempting to hide out of date software will do nothing to prevent hacking attempts/successes.

I have left Apache running on Windows with full servertokens on busy websites for many years, not hacked once. Yes windows, no firewall, wide open on the internet, never hacked. Why? Because I don’t fall for all the crap that most people do.

I can do the same on QNX, FreeBSD, Slackware, VxWorks… etc… etc…

I hate to say it as it is so trite, but here it is:
Security through obscurity does not work. Period.

]]> By: Gray http://www.graysunderground.com/2008/02/08/make-sure-you-hide-your-apache-headers/#comment-1347 Gray Fri, 23 May 2008 19:56:13 +0000 http://www.graysunderground.com/2008/02/08/make-sure-you-hide-your-apache-headers/#comment-1347 I have to agree and disagree with this. Being that obscurity only helps when your website is the one site the feel they need to hack. I have one server running apache with the tokens open for all the world to see that has been running for 4 years now, never had a single hack attempt. It hosts nothing of real value or anything that is inflammatory that invites attack. On the other hand I also admin an a high traffic site, that is more prone to attack because of the content that resides there, so in this instance obscurity is your friend. Why? Because even though I keep my OS and software up to date, it does not mean updated software equals safe software. With that being said the latest software has holes just like anything else and if the hacker knows what I'm running it is that much easier for them to penetrate the system as they can look a security issues up on that particular version of apache or OS and see where I'm vulnerable. So obscurity is your friend, while obscurity does not equal security, it does give you a better chance of avoiding or delaying attacks. And delaying attacks until I can apply a security patch keeps my servers safe. I have to agree and disagree with this. Being that obscurity only helps when your website is the one site the feel they need to hack. I have one server running apache with the tokens open for all the world to see that has been running for 4 years now, never had a single hack attempt. It hosts nothing of real value or anything that is inflammatory that invites attack.

On the other hand I also admin an a high traffic site, that is more prone to attack because of the content that resides there, so in this instance obscurity is your friend. Why? Because even though I keep my OS and software up to date, it does not mean updated software equals safe software. With that being said the latest software has holes just like anything else and if the hacker knows what I’m running it is that much easier for them to penetrate the system as they can look a security issues up on that particular version of apache or OS and see where I’m vulnerable.

So obscurity is your friend, while obscurity does not equal security, it does give you a better chance of avoiding or delaying attacks. And delaying attacks until I can apply a security patch keeps my servers safe.

]]>