suppress cyrus version information possible?
Mike Nuss
mnuss at ammasso.com
Fri Oct 29 15:21:50 EDT 2004
Ken Murchison wrote:
> Sascha Wuestemann wrote:
>
>> Hi,
>>
>> when sending email over cyrus imap, it gives full information about
>> version. So, an attacker has just to telnet at port 25 to see if his
>> bunch of exploits fits to it.
>>
>> That is a dangerous and I would like to suppress all version
>> information, even that it is cyrus answering, if possible.
>
>
> Security by obscurity never works. Do you really think an attacker
> would be deterred by the version number that he sees? He'll probably
> try his attack regardless of the version reported.
>
I wouldn't go so far as to say that it NEVER works. It's not an
uncommon practice to remove version information from banners for this
reason. Certainly a determined attacker might use any tools at her
disposal regardless of whether she knows what version you're running,
but anything you can do to make it less easy for an attacker, such as
removing version information, is worthwhile. It's like a burglar alarm;
it doesn't *prevent* an intruder, but it might make the unalarmed house
next door a more appealing target.
Mike Nuss
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list