From: Ken Murchison (no email)
Date: Tue Apr 02 2002 - 14:26:19 EST
Clifford Thurber wrote:
>
> Ken I am just interested in suppresing platform/version information when
> someone telnet to port 143. Just one more layer of security.
But by doing this, you're implying that there is a security hole in the
Cyrus server which can be exploited if the hacker discovers the
vendor/version info. Is there some known security hole in Cyrus that
isn't in other servers. Even if there is, I don't think that the lack
of info in the banner is going to stop a hacker from trying the exploit
anyway. Furthermore, a good hacker intent on finding Cyrus servers
could also detect them by look for known response strings from commands,
etc.
> If I understand you correctly I just need to add:
>
> "imapidresponse: no"
>
> to /etc/imapd.conf?
>
> This correct.
No. This will only suppress the response for an ID command. If you
don't want the vendor/version info in the banner, you'll have to edit
the source.
>
> >If you think that having the vendor/version information in the banner is
> >a security problem, then you should tell us what you think the security
> >issues are, so they can be fixed. If its a config problem, then fix
> >your config ;-)
> >
> >In any case, there are multiple places in the services where the
> >vendor/version string is used:
> >
> >- In the banners for imapd, pop3d, lmtpd -- disable by editing the
> >source --
> > look for prot_printf(, "... ready\r\n", ,CYRUS_VERSION)
> >- imapd: ID command response -- disable with "imapidresponse: no" in
> >imapd.conf
> >- imapd: NETSCAPE command response -- not compiled by default
> >(--enable-netscapehack configure option)
> >- pop3d: IMPLEMENTATION capability -- disable by editing the source in
> >cmd_capa()
> >
> >Ken
> >
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
|
|
|