suppress cyrus version information possible?

[Jim Levie]

On Fri, 2004-10-29 at 14:21, Mike Nuss wrote:
> Ken Murchison wrote:
> 
> > Sascha Wuestemann wrote:
> >
> >> Hi,
> >>
> >> when sending email over cyrus imap, it gives full information about
> >> version. So, an attacker has just to telnet at port 25 to see if his
> >> bunch of exploits fits to it.
> >>
> >> That is a dangerous and I would like to suppress all version
> >> information, even that it is cyrus answering, if possible.
> >
> >
> > Security by obscurity never works.  Do you really think an attacker 
> > would be deterred by the version number that he sees?  He'll probably 
> > try his attack regardless of the version reported.
> >
> I wouldn't go so far as to say that it NEVER works.  It's not an 
> uncommon practice to remove version information from banners for this 
> reason.  Certainly a determined attacker might use any tools at her 
> disposal regardless of whether she knows what version you're running, 
> but anything you can do to make it less easy for an attacker, such as 
> removing version information, is worthwhile.  It's like a burglar alarm; 
> it doesn't *prevent* an intruder, but it might make the unalarmed house 
> next door a more appealing target.
> 
>From what I've seen of cracker tools I'd agree with Ken. In general a
cracker simply runs a tool kit that attempts to exploit all known
vulnerabilities for that OS. If one works, they are in, and if not they
move on to another system. The tools themselves seldom check version
information since it may be hidden, or in the case of some Linux systems
not reflect the real security state of the package due to back ports of
fixes from later versions.

-- 
The instructions said to use Windows 98 or better, so I installed
RedHat.


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html