Eighth Layer News
DNS Consultancy, Linux Expo, Free Mandrake 7.2 CDs, RFC2142
Article
Industry News
Hacking stories and Attrition's Mirror
Technical Bits
Hiding version strings in Apache and BIND
Subscription Details
==========================================
Eighth Layer News
==========================================
DNS Consultancy
DNS consultancy work for various clients has kept us busy.
Simon even
found a bug in an Alpha Release of BIND (9.2.0a2).
==========================================
Linux Expo
Simon plans to attend Linux Expo 2001 in London on the 4th
and 5th of
July, if not dragged away by more work. Will he see any
readers there?
==========================================
Free Linux CD's
We still have lots of Mandrake 7.2 CDs left over from the
Devon and
Cornwall Linux User Group's Linux Day event. Mandrake was
voted the best
distribution of Linux by Linux magazine readers, and these
CDs are
highly recommended to anyone thinking of getting started
with Linux,
although on the day we got rid of all the (in some cases,
rather old)
Red Hat CDs. It was yet another example of people selecting
what they
have heard of, rather than basing their decision on
technical merit or
advice.
==========================================
Article at WWW.NETSYS.COM
Formerly featured as a "Recommended Web Site", Simon has
written a short
article for netsys.com.
Entitled "RFC2142 and all that", don't be put off by the
title, it
explains why RFC2142 is a "must-read" for anyone setting up
an Internet
mail server.
http://www.netsys.com/cgi-bin/display_article.cgi?888
==========================================
Industry News
==========================================
Hacking of EU Safer Internet Exchange
The hacking of an EU-sponsored web site devoted to making
the web safer
makes a good story! Just as Americans seem to love seeing
the Federal
government get caught out, Europeans are beginning to feel
the same way
about the EU, although we're sure it all adds to our tax
burden!
http://www.idg.net/go.cgi?id=491863
The story doesn't name the site, but at a guess....
http://www.saferinternet.org/
So the story doesn't quite pan out. The site is primarily
dedicated to
dealing with child pornography and other illegal or harmful
content.
The moral however remains the same - the hack was apparently
achieved
using known vulnerabilities in Microsoft IIS, so keep
patching those
servers! However the sanity of using IIS must be
questionable following
yet further major vulnerability announcements from our
"friends" at
Redmond.
==========================================
Attrition Drop Their Mirror
Attrition, a security consultancy, have decided to drop
their mirror.
The mirror used to take snapshots of hacked web sites,
recording the
event for posterity.
As a result of running the mirror, Attrition received a lot
of attention
from the American authorities, and have decided they can no
longer
commit the effort involved in maintaining the mirror.
Attrition will still be bringing us their much more useful
statistics,
but these don't have quite the same air of "Schadenfreude".
http://www.attrition.org/
==========================================
Technical Bits
Of course all this version string hiding is for when your
sure you have
all the right patches already installed....
==========================================
Hiding Version Strings - Apache
My experiments in producing more anonymous Internet software
continue.
Apache server "out of the box" returns a string to anyone
who wants to
know, which looks like;
Server: Apache/1.3.12 (Unix) (Red Hat/Linux)
The exact content varies with operating system, and can be
even more
revealing.
The Apache directive "ServerTokens" gives you some control
over this.
http://httpd.apache.org/docs-2.0/mod/core.html#servertokens
Adding "ServerTokens Min" to the httpd.conf file drops the
response to;
Server: Apache/1.3.12
"ServerTokens Prod" should further shrink the response to
"Apache".
However, you need a newer version of Apache than 1.3.12 for
this to
work, which is quite revealing in itself. Whatever you do,
check the
output, as the default is "full", and we didn't get any
warning or error
when we tried using "Prod" with version 1.3.12, the result
being
everything was revealed.
"vi -b /usr/sbin/httpd" worked a treat with 1.3.12, letting
me overwrite
the strings with anything I liked including the product
name. But it is
probably better to do this at the source code level on a
production
server.
==========================================
Hiding version strings - BIND 9
BIND 9 is my preferred name server, but it is easy to spot a
BIND 9 web
server.
Whilst the "version" directive allows you to stop probing
with;
# dig +short @127.0.0.1 version.bind chaos txt
"24h helpdesk +44(0)208 xxx xxxx"
BIND 9 add some extra information.
# dig +short @127.0.0.1 authors.bind chaos txt
"Andreas Gustafsson"
"Bob Halley"
"Damien Neil"
"Matt Nelson"
"Ben Cottrell"
"Mark Andrews"
"James Brister"
"Michael Graff"
"David Lawrence"
"Michael Sawyer"
"Brian Wellington"
Interestingly 9.2.0a2 doesn't add the authors' records if
you override
the version string - another nice touch! But users of
earlier versions
of 9 are forever fingerprintable, beacuse if they return a
mangled
version string but also answer the "authors.bind" query, we
know to
within 2 minor releases what version they are running.
==========================================
Subscription Details
Eighth Layer News subscription is still done the old fashion
way by
hand.
The newsletter is free, and you are welcome to pass it on to
colleagues,
but please do encourage them to subscribe, so I know who I'm
writing
for.
To subscribe or unsubscribe e-mail
Simon.Waters@eighth-layer.com
Copyright Eighth Layer Limited 2001.
Archive copies are kept on the website
http://www.eighth-layer.com