4

The linked question relates to error pages, although the same information is often available in HTTP headers, if I follow best practise of hiding service banners:

Is displaying what server I am running on the error pages a security risk?

would I be hindering the effectiveness of vulnerability scanners such as Nessus or OpenVAS? For example say I am running the fictitious web server Foobar v1.1 and there is a vulnerability that affects versions of Foobar < v2.0.

If the NVT works by checking the service banner, hiding the banner would mean that the vulnerability would not be picked up by any automated network vulnerability tests.

What is the general recommendation here? Would it be better for the banner to be hidden and then this vulnerability would be picked up during a manual pen test rather than an automated scan? Would penetration test tools such as Metasploit Pro automatically try to exploit it, even if the banner was missing or spoofed (say somebody changed it to say Foobar v2.0 when it was in fact v1.1)?

Note that I am not saying that hiding or spoofing the banner would be a good way to handle security flaws, however I'm concerned whether scanners would miss vulnerabilities in similar situations.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185

2 Answers2

8

The first thing to note here is that banner grabbing is an error prone way to check for vulnerabilities in a lot of cases (as OS vendors backport security fixes without updating version numbers). Nessus as an example will try and work around that, but it's not foolproof.

The best way to address checking your security with scanners is to get them to do credentialed checking. It's a lot more accurate and comprehensive than uncredentialed checking. It doesn't take the place of a proper manual pen. test as there's things the scanners don't find, but still worth doing.

As to whether you should hide banners, I'm going to disagree with @limbenjamin and say that removing banners is generally a good idea as long as it's not really hard to do. The reason for this is that it makes an attacker work harder to find out what software you're running, which makes more "noise" which can be detected by detective systems such as IDS (see also this question)

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
2

This sounds very much like security by obscurity to me. You are trying to hide the vulnerability from automated scanners.

While such a measure might throw off simple scans, it does not actually address the actual problem. You would still have to keep up to date with patches to secure your server.

As you have mentioned, it might create a false sense of security since the automated scans might not pick up the vulnerability. My opinion is not to obscure the banner but focus on the actual security of your server

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
  • 3
    There is nothing wrong with obscurity as long as it isn't the only method deployed to keep secure. With the amount of automated scanners and malicious websites constantly attacking, sometimes it may be better to change your banner/user agent. Even a fully patched system can be compromised. – David Houde Dec 02 '14 at 13:04
  • 2
    Agreed, as long as the obscurity method does not introduce any negative effect. 1 potential negative effect is that other administrators might overlook this server as automated scans do not surface any vulnerability. Proper documentation and communication with other admins would minimise such an occurrence – limbenjamin Dec 02 '14 at 13:17
  • Actual attackers will spam you with test URLs for all the platforms, they won't bother seeing what you report you are running. So your obscurity gets you nowhere. – JamesRyan Dec 02 '14 at 17:43