BIND Version check
Kevin Darcy
kcd at daimlerchrysler.com
Fri Jun 23 21:31:54 UTC 2000
Barry Finkel wrote:
> Daniel Norton wrote:
>
> >On 20 Jun 2000 17:29:04 -0700, "Tony Grace" <tony at grace.net.au> wrote:
> >>CERT
> >>and in Australia AUSCERT have security papers with recommendations on hiding
> >>BIND version numbers.
> >
> >Here's another bennie: I just now caught a hacker, thanks to
> >"allow-query { localhost ;}" on "version.named". Of course, he was
> >coming in from a freshly hacked system, so I don't know originally
> >whence he came, but he stopped using that system to hack others, anyway.
> >He was doing precisely what I expected a hacker might do, by looking at
> >version.named.
>
> I am not sure I understand this posting. Daniel, are you stating that
> you caught the hacker because you changed/hid the BIND version, or are
> you saying that you caught the hacker because the BIND version was
> accessible? I can read your posting either way.
Hmmm... allow-query { localhost; }; is not what I'd call "accessible". I think
the posting can be reasonably read only one way in that regard.
I will point out, however, that hiding the version number didn't really keep the
hacker out in this instance. All it did was cause the version-probing attempt to
be logged in a more conspicuous way. Running a continuous "grep" on your query
log could accomplish essentially the same thing...
- Kevin
More information about the bind-users
mailing list