8

Web servers can add Server, X-Powered-By and similar headers into HTTP responses. Looks like the consensus is such headers should be removed so that automatic vulnerability scanners don't immediately know which version of which software they're dealing with and so automatic vulnerability discovery gets harder.

Sounds good, but... It's often easy to find what software a service runs on from other sources. For example, it's well known that Stack Exchange runs on IIS and ASP.NET, then looks like it doesn't matter much if Stack Exchange suppresses Server and X-Powered-By.

How important is that? To what extent does stripping these headers help? Is it just to feel safer or does it have real, notable effect?

Community
  • 1
sharptooth
  • 2,161
  • 1
  • 19
  • 22

3 Answers3

13

The question is regarding "Security through obscurity"1. Does hiding your design/implementation (e.g. what server you are running) lead to less instances of exploitation? This is a long debated subject with reasonable arguments on both sides of the fence.

All security practices are a tradeoff between cost (e.g. effort, maintainability, money) and benefit (reduced instances of exploitation, reduced impact of those inevitable instances). In this case the cost is the effort it takes to change the string and the benefit is some degree of obscurity. However, (as you noted) in a targeted attack (and by that I mean someone is determined to get into your systems) there are other methods of canceling out that benefit (e.g. looking at default error pages, default files, obscure stuff like cookie handling, and pwning something else). In a non-targeted attack (and by that I mean some skiddie looking for low hanging fruit or a dumb automated piece of software scanning the internet, same thing) you avoid harassment.

HOWEVER, the actions needed to secure against a targeted attack (regular updates, access controls, sane configuration, good data hygiene) would protect against aforementioned non-targeted attacks. These are by far the best bang for the buck and what you should be doing.

So, if you are out of other things to do, then go ahead and hide your server tokens. It'll stop people from noticing low hanging fruit if you are super late applying patches or something else fails. However, note that in that case you may already be dead in the water. So if there is anything left, your time is better spent attending to that or asking good questions like this one.

Personally I prefer adding humorous server tokens to make attackers laugh or incorrect server tokens to confuse them. minorcrash.com (when up) currently has DOM injection that renders a picture of a cat being hit by a snowball.

chao-mu
  • 2,801
  • 18
  • 22
7

As a large number of attacks are automated and progress from scans to identify the OS/platform, this does have a net positive effect. And because the effort to implement this is almost zero, we always recommend it is done.

Automated scans (not from an attacker specifically targeting you) will first run a footprinting step, to identify the platform - this is often as simple as a banner grab, as it is fast, and spoofing the banner will mean your system won't be matched up in their database of platform||vulnerabilities.

This is of even higher value if your platform has known vulnerabilities as the banner would effectively announce this!

(of course if they use nmap or various other options they will still be able to identify the platform, which is why this is not a silver bullet, but simply an improvement)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
3

Hiding the banner grabs and modifying the server's response definitely won't hurt your overall security posture, but in my opinion it doesn't help it drastically either. You're talking about "security through obscurity". While modifying these banners may prevent some scans from running additional "attacks" against you, it's not going to stop anyone that is semi determined to get into your network. However, there are some regulations, such as PCI that will fail you if you have some SSH version information available for users. So in these cases, even though the security gain may be minimal, you need to do it for compliance. All of that said, trying to hide information from attackers is always a good idea to make them work a little harder for it but just don't solely rely on it by any means. Continue to use the best practices for whatever OS or application your using, focus on system hardening, and ensure that you only have the needed ports/applications open through your firewall. Security is all about layers, and trying to hide information is a very low level layer.

Eric
  • 416
  • 2
  • 9