[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] wish to Cobalt: suppressing "sensitive" information

Subject: Re: [cobalt-users] wish to Cobalt: suppressing "sensitive" information
From: Kris Dahl <krislists@xxxxxxxxxxxxx>
Date: Fri Sep 15 09:43:12 2000

> I could change some things myself, but
> 1. I do not want to void my warranty, and
> 2. I do not want to "interfere" with Cobalt's tools :)

I don't believe that any of the proposed changes will interfere with either.

> 1.
> In the FTP server, with a simple entry in the config file, the version
> number and FTP server software is not shown, just something like
> "Welcome to FTP". Please use that feature.

This should have been done from the get go.  It is a simple thing to do that
will help, but certainly not eliminate the chance that an exploit will get
used.  I have found that most people that attempt exploits don't even
check--they just try it.

Obscurity is NOT a substitute for security.

On the other hand there is no reason why we should be announcing "PLEASE
HACK ME.".

> 2.
> On http://www.netcraft.com/whats/ , one can easily see the used HTTP
> server. Instead of showing
> "Apache/1.3.6 (Unix) mod_perl/1.21 mod_ssl/2.2.8 OpenSSL/0.9.2b",
> with a simple entry in httpd.conf, it could just be
> "Apache".

This isn't really sensitive information.  Very little, security-wise can be
gleamed off of this information.

> 3.
> When logging on via telnet, one sees Cobalt OS revision and kernel
> version.
> 
> Cobalt Linux release 5.0 (Pacifica)
> Kernel 2.2.14C10 on an i586
> 
> If the file /etc/issue.net would be removed/renamed, no information
> would be shown. So do it ;-)

I agree.  This information can be helpful to a sysadmin, but usually isn't.
 
> 4.
> Same when telnetting on to port 25 or 110, you see
> sendmail's/qpopper's version. Can be turned off in the config file.

I agree it should be turned off.

It would be very easy for someone to write a patch that updates these config
files.  No big deal.

But keep in mind that it is only a relatively minor difference.  A machine
can totally be fingerprinted using other methods.  Just by portscanning you
could identify a Cobalt Raq3 or whatever in its default configuration.
Hell, if you wanted to identify one you can just go to
http://www.whatever.com/fingerpringblahrandomtexthere and parse the metatag.
If it has "Copyright (C) 1999, Cobalt Networks, Inc." in there then it is a
Raq2 probably.

For what it is worth.
-k

Follow-Ups:
- Re[2]: [cobalt-users] wish to Cobalt: suppressing "sensitive" information
  - From: Florian Effenberger

References:
- [cobalt-users] wish to Cobalt: suppressing "sensitive" information
  - From: Florian Effenberger

Prev by Date: [cobalt-users] How to restart proftpd after ftpshut
Next by Date: Re: [cobalt-users] Microsoft Outlook
Previous by thread: [cobalt-users] wish to Cobalt: suppressing "sensitive" information
Next by thread: Re[2]: [cobalt-users] wish to Cobalt: suppressing "sensitive" information

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index