suppress cyrus version information possible?

Mike Nuss mnuss at ammasso.com
Fri Oct 29 15:21:50 EDT 2004


Ken Murchison wrote:

> Sascha Wuestemann wrote:
>
>> Hi,
>>
>> when sending email over cyrus imap, it gives full information about
>> version. So, an attacker has just to telnet at port 25 to see if his
>> bunch of exploits fits to it.
>>
>> That is a dangerous and I would like to suppress all version
>> information, even that it is cyrus answering, if possible.
>
>
> Security by obscurity never works.  Do you really think an attacker 
> would be deterred by the version number that he sees?  He'll probably 
> try his attack regardless of the version reported.
>
I wouldn't go so far as to say that it NEVER works.  It's not an 
uncommon practice to remove version information from banners for this 
reason.  Certainly a determined attacker might use any tools at her 
disposal regardless of whether she knows what version you're running, 
but anything you can do to make it less easy for an attacker, such as 
removing version information, is worthwhile.  It's like a burglar alarm; 
it doesn't *prevent* an intruder, but it might make the unalarmed house 
next door a more appealing target.

Mike Nuss
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list