zimny
(Zimny)
February 11, 2018, 10:29pm
1
I know this is not a big issue but when we are considering NS like a secure platform can we disable it by default?
To be honest adjustments like:
“config setprop php ExposePhp 0”
do not solve a problem.
For expirienced pentest man this pages can give good picture about the php ver etc.
Why not avoid it on OS config layer
davidep
(Davide Principi)
February 12, 2018, 7:22am
2
Any suggestion about hardening the current config is welcome!
Attackers know well the PHP version of NethServer because it’s publicly available from Centos packages.
1 Like
giacomo
(Giacomo Sanchietti)
February 12, 2018, 9:49am
3
I don’t think Security through Obscurity is a good practice
By the way, if you want to change PHP configuration, beside what is currently supported by props, you can implement a template-custom for /etc/php.d/nethserver.ini
or edit any other file inside /etc/php.d/
.
Just for reference:
In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back a...