Hiding Subversion version number

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Hiding Subversion version number

dhanushka ranasinghe-2
Hi All

Is there any configuration where i can hide  the subversion version details .Please see copied image Inline images 1
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Dave Huang-2
On Dec 15, 2017, at 9:15, Dhanushka Parakrama <[hidden email]> wrote:

Hi All

Is there any configuration where i can hide  the subversion version details .Please see copied image <image.png>

I think that's controlled by the Apache ServerSignature configuration option (https://httpd.apache.org/docs/2.4/mod/core.html#serversignature)

-- 
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: [hidden email] |  they raise a paw / the bat, the cat /
Telegram: @DahanC        |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 42 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++

Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Nico Kadel-Garcia-2
Why would you want to hide this?

On Fri, Dec 15, 2017 at 10:54 AM, Dave Huang <[hidden email]> wrote:
> On Dec 15, 2017, at 9:15, Dhanushka Parakrama <[hidden email]>
> wrote:
>
>
> Hi All
>
> Is there any configuration where i can hide  the subversion version details
> .Please see copied image <image.png>
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Matt Simmons
Many documents relating to information security compliance require blocking visible software version information. 



On Fri, Dec 15, 2017 at 10:46 AM Nico Kadel-Garcia <[hidden email]> wrote:
Why would you want to hide this?

On Fri, Dec 15, 2017 at 10:54 AM, Dave Huang <[hidden email]> wrote:
> On Dec 15, 2017, at 9:15, Dhanushka Parakrama <[hidden email]>
> wrote:
>
>
> Hi All
>
> Is there any configuration where i can hide  the subversion version details
> .Please see copied image <image.png>
--
"Today, vegetables... Tomorrow, the world!" 
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Branko Čibej
On 15.12.2017 20:10, Matt Simmons wrote:
> Many documents relating to information security compliance require
> blocking visible software version information.

Interesting documents. I'd have expected them to require all software to
be patched to fix all known security bugs. I thought the "security by
obscurity" mantra had been debunked, but apparently not ...

-- Brane

> On Fri, Dec 15, 2017 at 10:46 AM Nico Kadel-Garcia <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Why would you want to hide this?
>
>     On Fri, Dec 15, 2017 at 10:54 AM, Dave Huang <[hidden email]
>     <mailto:[hidden email]>> wrote:
>     > On Dec 15, 2017, at 9:15, Dhanushka Parakrama
>     <[hidden email] <mailto:[hidden email]>>
>     > wrote:
>     >
>     >
>     > Hi All
>     >
>     > Is there any configuration where i can hide  the subversion
>     version details
>     > .Please see copied image <image.png>
>
> --
> "Today, vegetables... Tomorrow, the world!" 

Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Branko Čibej
In reply to this post by dhanushka ranasinghe-2
On 15.12.2017 16:15, Dhanushka Parakrama wrote:
> Hi All
>
> Is there any configuration where i can hide  the subversion version
> details .Please see copied image Inline images 1

You could start by telling us *where* you see that image. In a browser,
I presume? Generated by which server? It's certainly not generated by
Subversion so I wonder if you're on the right list?

-- Brane
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Matt Simmons
In reply to this post by dhanushka ranasinghe-2
This sounds like the ServerSignature directive


Have you turned it off?

On Fri, Dec 15, 2017 at 7:15 AM, Dhanushka Parakrama <[hidden email]> wrote:
Hi All

Is there any configuration where i can hide  the subversion version details .Please see copied image Inline images 1



--
"Today, vegetables... Tomorrow, the world!" 
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Matt Simmons
In reply to this post by Branko Čibej
OT, but you can see one here: 


(specifically, section 5.1: Reconfigure HTTP service banner (and others as required) not to report Web server and OS type and version ) 

There are, of course, mandates to use up to date software, but, also many other suggestions. Some practical, some just weird. 

--Matt


On Sat, Dec 16, 2017 at 3:35 AM, Branko Čibej <[hidden email]> wrote:
On 15.12.2017 20:10, Matt Simmons wrote:
> Many documents relating to information security compliance require
> blocking visible software version information.

Interesting documents. I'd have expected them to require all software to
be patched to fix all known security bugs. I thought the "security by
obscurity" mantra had been debunked, but apparently not ...

-- Brane

> On Fri, Dec 15, 2017 at 10:46 AM Nico Kadel-Garcia <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Why would you want to hide this?
>
>     On Fri, Dec 15, 2017 at 10:54 AM, Dave Huang <[hidden email]
>     <mailto:[hidden email]>> wrote:
>     > On Dec 15, 2017, at 9:15, Dhanushka Parakrama
>     <[hidden email] <mailto:[hidden email]>>
>     > wrote:
>     >
>     >
>     > Hi All
>     >
>     > Is there any configuration where i can hide  the subversion
>     version details
>     > .Please see copied image <image.png>
>
> --
> "Today, vegetables... Tomorrow, the world!" 




--
"Today, vegetables... Tomorrow, the world!" 
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Dave Huang-2
In reply to this post by Branko Čibej
On 12/16/2017 5:38, Branko Čibej wrote:

> On 15.12.2017 16:15, Dhanushka Parakrama wrote:
>> Hi All
>>
>> Is there any configuration where i can hide  the subversion version
>> details .Please see copied image Inline images 1
>
> You could start by telling us *where* you see that image. In a browser,
> I presume? Generated by which server? It's certainly not generated by
> Subversion so I wonder if you're on the right list?
>
> -- Brane

Of course it's generated by Subversion. mod_dav_svn, to be more precise.
Just Google for "Powered by Apache Subversion" to find tons of examples,
e.g., https://svn.openstreetmap.org/

See also:
http://svn.apache.org/viewvc/subversion/trunk/subversion/mod_dav_svn/repos.c?view=markup#l3547

--
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: [hidden email] |  they raise a paw / the bat, the cat /
Telegram: @dahanc        |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 42 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+
PL++
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Eric Johnson-35
In reply to this post by Matt Simmons
Hiding the version information is but a piece of the puzzle. It won’t save a server from a persistent attacker. However, hiding the server software, and the software version, makes it harder for “drive-by” attackers to discover that your server is vulnerable. They don’t generally want to spend the time to test the universe of known compromises to server software, but if they know they only need to test for vulnerabilities to Subversion 1.7.X, then you’ve got their attention.

Hiding that information slows the drive-by attackers down, much like having a safe will do the same. In some cases the extra time nudges attackers towards looking for easier targets.

Eric

On Dec 16, 2017, at 3:35 AM, Branko Čibej <[hidden email]> wrote:

On 15.12.2017 20:10, Matt Simmons wrote:
Many documents relating to information security compliance require
blocking visible software version information.

Interesting documents. I'd have expected them to require all software to
be patched to fix all known security bugs. I thought the "security by
obscurity" mantra had been debunked, but apparently not ...

-- Brane

On Fri, Dec 15, 2017 at 10:46 AM Nico Kadel-Garcia <[hidden email]
<[hidden email]>> wrote:

   Why would you want to hide this?

   On Fri, Dec 15, 2017 at 10:54 AM, Dave Huang <[hidden email]
   <[hidden email]>> wrote:
On Dec 15, 2017, at 9:15, Dhanushka Parakrama
   <[hidden email] <[hidden email]>>
wrote:


Hi All

Is there any configuration where i can hide  the subversion
   version details
.Please see copied image <image.png>

--
"Today, vegetables... Tomorrow, the world!" 

Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Daniel Shahaf-2
Eric Johnson wrote on Sat, Dec 16, 2017 at 07:05:52 -0800:
> Hiding that information slows the drive-by attackers down,

Hiding that information is a pretty clear signal that "I think I'm an
interesting target", though.  Everyone who's serious about security knows
that the right answer is to configure httpd to put an IIS banner in the
"Server:" header :°)
Reply | Threaded
Open this post in threaded view
|

Re: Hiding Subversion version number

Branko Čibej
On 16.12.2017 21:25, Daniel Shahaf wrote:
> Eric Johnson wrote on Sat, Dec 16, 2017 at 07:05:52 -0800:
>> Hiding that information slows the drive-by attackers down,
> Hiding that information is a pretty clear signal that "I think I'm an
> interesting target", though.  Everyone who's serious about security knows
> that the right answer is to configure httpd to put an IIS banner in the
> "Server:" header :°)

ROFL! If I were an attacker, that'd definitely put me off my lunch. :)