How to make Win NT 4 server report false info about web & email software running?

[Wiz]

With all the trouble out there these days I was thinking it would be wise to get my server to 'lie' when asked about the software running on it. This way there would be less probability that people would formulate intelligent attacks against it.
So how can it be done? Or for that matter can it be done?

 

[Nothinman]

I'm not sure if it can be done, but it won't gain you much. Nimda and all the things you're trying to hide from don't check the version of the software before they try the exploit, otherwise my apache logs would be much smaller.

 

[Wiz]

I understand, it's just that I would rather it not say what software and version are running if possible.
For instance, the email server reliably says all kinds of great info evey time anyone connects.
Lots of things about email were built for a nice trusting internet community,
but there's a war going on out there the inventors of email never expected.

 

[Nothinman]

It won't help you, period. The only people youl would avert are the ones that couldn't break in properly anyway.

If you can't find a way to do it in your software, you probably can't do it.

 

[Rainsford]

I agree, hiding your version won't help you at all. The vast majority of the computer "hackers" out there are script kiddies who run automated tools that try well known exploits against a large number of random servers. My Apache logs show many, many people are doing this. As long as you have your software properly patched, these attacks are harmless (although somewhat irritating). The only time people even check anything any more is if they would be targeting your servers specifically. And in that case, if running patched software doesn't protect you, hiding the versions certainly won't.

 

[Woodie]

I have to disagree with the majority who've posted, there is some value.

1. These messages are referred to as "banners". Search in the registry for them, they're there.

Value:
I agree that automated scripts and worms will not be affected by changing the banners. However, if you're being targeted for attack by a particular individual, the first thing he'll do is try and find out as much about your server as possible. By not writing the OS and Version information on the wall for him, you've gained yourself some time. If you put some information there that is credibly wrong, meaning that if he does certain other checks or pokes at your machine, and it responds back with information consistent with the wrong information you've provided in the banner, then you've gained yourself even more time. He'll go and get the attacks specific to that OS and version, which most likely won't work on your server.

Time = advantage. The longer it takes the attacker to do anything, the more time you've protected your server.
1. The more work the attacker has to do, the more likely that he'll (a) give up or (b) try a different server.
2. The more time you have to detect him.
3. The more likely it is the attacker has to do a more invasive (more detectable) probe.
4. The more probes the attacker does, the easier to (a) detect him and (b) build a log -evidence- that shows a planned, pre-conceived attack.
5. The more actual attacks he does, the more likely you are to see it, and be able/ready to respond if/when he figures out what you really have.

Let the debate begin!!

 

[spyordie007]

<< I agree that automated scripts and worms will not be affected by changing the banners. However, if you're being targeted for attack by a particular individual, the first thing he'll do is try and find out as much about your server as possible... >>


I agree with Woodie's reasoning, however this is in the case of would be attackers specifically singling you out.

On my server I run a website for a small clean-energy non-profit group, who is going to take the time to attack a server such as mine? Worse case they ruin it completely and I have to rebuild (that's why I have backups of everything), and there isnt any info to be stolen. Who would want to single out a server such as mine when they could attack much more inviting, interesting prey (MS). Changing the information that your machine returns will buy you time, which would help in the case of an internet attack. However I do not believe that taking the time to do these things would really make much of a differance at all.

I would like to change mine though just to have fun. That way it could return something like "why take what is already free?" or something else clever. I dont really think it would make a differance though as far as my server's or most small server's security. It might make a differance for larger corporate servers that are bigger targets for attacks, however attacks done on bigger corporations are generally colaborative efforts, and even a group of kids would see through changing the name quickly enough. The only attacks that I get are scripts attacking specific exploits (nimda, which is one I did catch BTW). Dont try and hack me because I didnt change my computer name and I'm saying that "I'm not worried", but I dont think I'm going to spend the time changing mine.

-Spy