Re: How to Hide the IIS FTP Banner ?
From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 05/19/04
- Next message: Bernard: "Re: FTP For Website Admins"
- Previous message: Bernard: "Re: mdtm and size commands"
- In reply to: Alun Jones [MS MVP - Security]: "Re: How to Hide the IIS FTP Banner ?"
- Next in thread: Alun Jones [MS MVP - Security]: "Re: How to Hide the IIS FTP Banner ?"
- Reply: Alun Jones [MS MVP - Security]: "Re: How to Hide the IIS FTP Banner ?"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 19 May 2004 15:03:18 +0800
Now, my turn :)
Well, not everyone understand 'security'. Some may feel hiding is waste of
time and etc, some may feel 'Nice, if I can hide it'. So what we can do is
educate the user. 'Yes, you can hide it, but it will not actually protect
you'.
I'm sure there MUST be thousand of requests before MS go ahead and do it.
They are 'listening', so it's good. What miss is the article didn't not
mention anything about 'security'. It would be nice to have a short
paragraph like mine here :) http://msmvps.com/bernard/posts/6227.aspx (last
week) and tell users about attacks and the banner modification.
It would be better, if we can customize it. Either a 'blank' string or
'UFOFTP v3.2', just like ftp msgs. In this way, users can hide or change it.
-- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ "Alun Jones [MS MVP - Security]" <alun@texis.invalid> wrote in message news:uPrqc.109$bF1.101@newssvr22.news.prodigy.com... > In article <kf9ka05mkbfaaaljh5i7elc3g8c32u68rb@4ax.com>, Paul Lynch > <paul.lynch@nospam.com> wrote: > >So then making it that bit harder for them to find out that > >information has to be a good thing, no ? If their social engineering > >or fingerprinting skills aren't up to scratch then you've just reduced > >their attack surface that bit more, no ? > > Not really, no. Someone who's targeting you will not rely on any > information that is given to them, and will collect a bunch of information > before starting their attack. They have to believe that they will be > detected, so they have a short window of time to do the actual attack. So, > they will collect as much information as possible ahead of time. > > >Agreed, but if you were savvy enough to try and mask your server's > >true identity then one would *assume* that you wouldn't be running a > >vulnerable server in the first place so it wouldn't make any > >difference anyway for such an attack. > > How do you know that the server is vulnerable or not? There is no way to > know, until a vulnerability is discovered and announced, that your server > has a vulnerability. > > >I wasn't aware of this. Have you got any examples of clients which > >take advantage of this and what functionality you break if you mask > >the server ID ? Just curious.... > > Any FTP client that has a setting for you to specify what kind of server > you're connecting to. You'd have to ask the client authors about that, it's > not something that has greatly interested me. The point is that they have > the feature, and it would be a waste if it was unnecessary. > > Alun. > ~~~~ > > [Please don't email posters, if a Usenet response is appropriate.] > -- > Texas Imperial Software | Find us at http://www.wftpd.com or email > 1602 Harvest Moon Place | alun@texis.com. > Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. > Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
- Next message: Bernard: "Re: FTP For Website Admins"
- Previous message: Bernard: "Re: mdtm and size commands"
- In reply to: Alun Jones [MS MVP - Security]: "Re: How to Hide the IIS FTP Banner ?"
- Next in thread: Alun Jones [MS MVP - Security]: "Re: How to Hide the IIS FTP Banner ?"
- Reply: Alun Jones [MS MVP - Security]: "Re: How to Hide the IIS FTP Banner ?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
