On Tue, 17 Jul 2001 17:31:19 +0200, Phil Pennock wrote:
> But changing smtp_banner and received_header_text to strip version
> numbers impedes automated attacks.
You think? I reckon the fast majority of exploits attempt the exploit
itself to discover vulnerability. Most incidents of attempted
exploitation occur blind.
> Who are these "legitimate consumers" that they have a right to know
> the software version of your MTA?
Local administrators and remote postmasters.
> In the situations I've been involved in, anyone with legitimate needs to
> know the version of Exim can log on and run "exim -bV" to see it.
There are other situations. :-)
> This does scale to a large number of machines, as easily as just
> connecting to the SMTP port and parsing the info there does.
You're talking about the local admin case. Here, what you say simply
isn't true. Arranging shell access for large numbers of unprivileged
users, even with tools like Kerberos, isn't nearly as easy as
advertising the version of the software.
> Basically, what I'm saying is "The defaults are fine, but please don't
> bitch at people who choose to change them."
Then you misunderstood what I was saying. I didn't say that nobody
should change the banner. What I was saying was that it's a dangerous
assumption that it'll improve security at all. I'm of the opinion that
folks should feel free to do whatever they like, but when they're given
suggestions, they shouldn't be misled or given half the story.