Re: Security Audit and Priorities

[Yannick Van Osselaer <yannick.vanosselaer () pi be>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Op zondag 13 juli 2003 02:53, schreef Paul Ammann:
> Hi
>
> I will be starting a new job in the next few weeks. I went to Netcraft and
> typed in the company's URL and was amazed by what I saw: the version of
> Linux, the version of Apache, the version of OpenSSL... literally
> everything about their web servers.
>
> I have a lot of experience with firewalls, but I'll profess my ignorance in
> other security areas. So, here are my two questions:
>
> 1. What is the best way to block Netcraft from obtain all this information.
> Are there Open Source solutions that would be better than commercial
> solutions?

Include the following directive in httpd.conf

ServerTokens ProductOnly

Obscurity can be helpful. But you shouldn't totally rely on it. It's better to 
spend your time on configuring your daemon's, updating software, etc.

> 2. The company has acknowledged they are lacking in security. What is the
> best method for doing a security audit?
>
> Thanks in advanced!
>
> Paul

- -- 
Yannick Van Osselaer
Public Key: wwwkeys.us.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/ET/B93+qyX+enAERAnh0AJ0WcKrVshyR2Q72haZKN7AUKH4DaACgq3Nt
C/8XteiOif16YaNCv5Ur/Mo=
=9gzT
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards