On Tue, Oct 08, 2019 at 10:03:16AM -0700, William Herrin wrote:
Limiting the server banner so it doesn't tell an adversary the exact OS-specific binary you're using has a near-zero cost and forces an adversary to expend more effort searching for a vulnerability.
Why would they bother performing that search? Why not use their botnets to throw every exploit they have at a service and see if anything works? That's easier and cheaper and faster than being selective. It also -- if they have happen to have a working exploit -- blows right past (announced) versions, whether real, fake, or elided. Brute force is cheap, analysis is expensive. Case in point: every mail server I have eyeballs on was probed by attackers trying to exploit the recent exim vulnerability -- no matter what MTA they're running, no matter that they all announce the MTA and version, no matter anything. I doubt I'm alone in observing this. Even a diligent, capable attacker -- someone who is willing to invest the time and effort to ascertain what's running which service, down to the version -- could save themselves some homework by launching an attack like the one in the first paragraph above, examining the results, and using those to greatly reduce their search space. It's easy, it's cheap, it's fast, it's automated, and it yields no clues as to where the followup (version-specific) attack is going to come from. ---rsk