NYCPHP Meetup

[David Sklar]

Paul Reinheimer wrote:

> Every attack wether web or otherwise I have heard about starts with
> learning as much as you can about the target's systems, then seeking
> to exploit some either known or unknown security holes in the software
> that system is running.
> 
> Knowing that, why reveal anything? Make the potential attacker work
> for every peice of information they want. Set the apache server string
> to claim it is some recent release of IIS, tell all the services not
> to advertise they are running, save your .php files as .exe and tell
> apache just to interpret apropriatly. etc. Obviously if you choose to
> run some off the shelf application (ie phpBB) you will let the cat out
> of the bag, but seperating it to a subdomain may only add to the
> confusion.
> 
> Does anyone see any real advantage to this approach?

Like all potentially security-increasing activities, this one is a 
trade-off. You are certainly confusing potential attackers, but you may 
also be confusing yourself (or your staff) -- the nonstandard 
configuration that makes your Apache/PHP setup look like IIS or some 
imaginary server requires more maintenance overhead to keep up to date, 
to explain to new employees, to edit when submitting bug reports, etc. 
It's not a huge overhead, but it's there.

A middle ground that I have used in the past is to tell Apache that 
files that end in ".html" should be handled by PHP. This provides a 
little bit of masking-from-attackers, makes things easy for 
non-technical folks working on the web site (since "everything" can have 
PHP in it, just save all files as .html), and is easy to maintain.

David