Changing the IMAP server's banner -- does one still need to patch the source?

Philip Edelbrock phil at edgedesign.us
Fri Jun 17 13:52:25 EDT 2005 


Greg A. Woods wrote:
> [ On Thursday, June 16, 2005 at 14:23:04 (-0700), Philip Edelbrock wrote: ]
> 
>>Subject: Re: Changing the IMAP server's banner -- does one still need to	patch the source?
>>[...]

> 
> Fix the bugs (or don't run the service) -- don't just pretend to hide
> them, because you cannot.
> 

Just for the record, I didn't see this part of the subject line until 
just now: " -- Does one still need to patch the source?" It got cut off 
on my screen! But I see it now that it's been quoted in the last email. ='o

Of course, you need to fix bugs/vulnerabilies as you find them!  Sorry 
if it seemed like I didn't support that.  My interjection into the 
thread was that it might be useful to supress the version tag on the 
public port.  We do that here at my company for anything which gives the 
option for it (for things like Apache and such).  We don't, of course 
ignore or supress the version information for our selves, lol!  And we 
don't use it as an excuse to avoid updates.  It's just a little extra 
cheap insurance.

We've had some compromises here (*blush*), including the receint PHPBB2 
worm which uses Google to find the html footer of PHPBB2 sites which 
publish the version.  Had the version been supressed, it would have been 
a case where it would at least bought us some time to do updates.  And, 
I noticed, that PHPBB2 now does not publish the version in the footer by 
default anymore.

 From my general experience as a lead IT guy for a web development 
company for 7+ years, you're more likely to be a random victim of a hack 
that uses your server as a zombie for spamming.  Sort of like a theif 
roaming the parking lot looking for an easy target.

We haven't been a victim of a targetted attack (cross my fingers!), but 
if we were... I'm imagining that it wouldn't be fun, even when 
completely up to date on everything!

Anyways, sorry for the misunderstanding.  :')


Phil
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list