On 2/7/07, John Hinton <webmaster at ew3d.com> wrote: > Seems that some of the credit card processors demand the use of Security > Metrics to test their web hosting for meeting a fairly good security > standard. > > First, it doesn't matter if they do online credit card processing or > not, just credit card processing period. This makes some sense, as > someone could hack in a form pretending to ask for this information... > so there is at least some risk.. and we all no credit card companies > ultimately want to achieve 0 risk. ;) > > Anyway, the frustration is this and early on their reports even talked > about it. Redhat doesn't follow the normal numbering system for a lot of > their security updates for various packages. PHP is a great example of > the time. Security Metrics says I must be running 5.1 due to exploits in > earlier versions due to CANXXXX whereas Redhat has clearly addressed the > issue, sent out a patch and generally we have it installed 2 to 6 months > before SM starts a failing process. > > ---- The real question ---- > > Basically, I was wondering if there were many of you 'jumping through > these same hoops'? If there are, perhaps we as a group could do > something to get them to check for CentOS and then look for RHEL > versions in hopes of ending these hassles. > > ---- end real question ---- > > I have found that by contacting SM, they will make a correction to a > test once they know what you are running, but this seems to come up with > each and every test. And the testing is done by domain, not by server, > so you have to deal with each domain tested with the exact same crap.. > which amounts to jumping through a hoop. > > Also, I've come to realize that some of what they ask that you do, > equates to having your locked car in the driveway with the keys in your > pocket.. this fails... But, if you put those keys in a different locked > car beside it in the driveway and put the keys to that car in your > pocket, it passes. Very sad...... > > And never once have they considered talking about the very basics like a > good password policy. :( > > One other thing that bothers me about them is they 'sell appliances'. > So, if your server/host can't pass or doesn't want to deal with it, we > can 'sell' them something, making more money which to me seems like a > conflict of interest for someone operating under the guise of security. Try adding this to your http.conf: ServerSignature Off ServerTokens Prod It will no longer show versions and modules. I had a similar issue thanks to backporting. Grant