Perfect SSL-Security vs. Rest of Server Config


#1

Continuing the discussion from HOWTO: A+ with all 100%'s on SSL Labs test using apache2.4 (READ WARNINGS):

When i said that more important than reverse-dns is that the server is configured correctly.
And that even more important is to hide the server version, i was still aware that this does not block
all script kids. But i can say from own tests that if an server claim to be apache with old php version
you will see other attack pattern than if you say that you are running tomcat.
And also it was under the topic of A+ with 4 times 100%. You are correct that up to date versions are important.
I it is also the case with my server. I still think that many people do only look at one point there they get ratings
and get other important points out of view.


HOWTO: A+ with all 100%'s on SSL Labs test using apache2.4 (READ WARNINGS)
#2

Please share how to hide server hostname.
Currently, I am using apache 2.4 server.


#3

Hi are you sure you mean hostname ?
This is mandatory in the certificate.


#4

Yes, I want to hide server hostname.


#5

That’s the reverse DNS for the server’s IP. You can’t change that directly as it’s set by your ISP/hosting company.


#6

Please check this link: https://www.ssllabs.com/ssltest/analyze.html?d=btcpanda.com&s=104.20.63.86
In that server hostname are hide, So I required to do same configuration.


#7

That’s because CloudFlare don’t set a reverse DNS on their IPs


#8

Hi, you should think twice aboute removing the Reverse-DNS because some mail server rate this as an negative indicator. And on the other side there are still traceroute and whois to get more information about your server.
More important is that the server is configured correctly.
For example my domain https://suche.org/


#9

[off-topic]

Security by obscurity :thumbsdown: :sob:

I wholeheartedly don’t agree with your statement “even more important”. Scripts will be ran against your server and daemons anyway. You should keep your software up to date and secure all the time, hiding your software and/or versions won’t change anything and won’t keep the scriptkiddo’s away.

[/off-topic]


#10

There’s absolutely nothing wrong with adding a layer of obscurity over a properly secured system, however…

Totally. Obscuring what you have is definitely not “even more important” than properly securing and updating the system.

But there is still nothing wrong with obscuring OS/webserver version numbers. At worst it does nothing, and at best it reduces targeted attacks.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.