By Bazin on

Hi,

This has bothered me for a longer time. I am using D6.4 and when You RClick on Drupal generated site u can view its source. Becouse of security reasons it would be nice if I caould hide from the potential adversary that the web site is using Drupal. If the adversary is aware that the site runs Drupal he can more eassily find a security problem with it. Same thing with the modules used on my site. In the RClick code showed it says what modules and themes I am using. So basicly what I'm after is:


1. How to hide from the visitor that the site is using Drupal?
2. How to hide from the visitor what kind of modules/themes are used for this web site?

Thank You in advance for Your ansewers.

Regards,
Bazin

Categories: Drupal 6.x

Comments

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

If an attacker is trying they will always figure these things out.

The best protection is simply to keep your site up to date and not try to hide the underlying software.

--
Morris Animal Foundation

Bazin’s picture

Bazin commented

This kind of thinking is not leading to anything secure... if so then why to consider security at all "attacer will brake it eventally"..
Well secured server doesnt show its all modules so it should be considered in cms case too and that was my question... If not considered till know maybe a future consideration ...

Know it looks pretty unmasked so that is why the question is still not ansewered. Any clues?

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

You are promoting security through obscurity

http://en.wikipedia.org/wiki/Security_through_obscurity

In Drupal, it takes a lot of work to hide the fact that a site is running Drupal. In my opinion you'd be better off making sure the site is up to date, reviewing the code of any contributed modules in use on the site, and reviewing the configuration of the site.

--
Morris Animal Foundation

Bazin’s picture

Bazin commented

I didn't knew there were name for this idea of security... thanks greggles for the link I've learn sth new. So in that case the ideological discussion is irrelevant becouse as your link says:
"The technique stands in contrast with security by design, although many real-world projects include elements of both strategies."

And this is the optimal way to use both security by design(which I have mentioned unwittingly) and by obscure (which have been mentioned by You).
I am using the latest verions of Drupal and its modeules/themes (by design) although I wish there were a way to make the Drupal internal mechanism not as explicit (mentoioned them in first post) to an unauthorised viewer(without permissions).

awolfey’s picture

awolfey commented

I have not used this but I remember coming across a method for using a url redirection module or combo of modules that let you rename your login and admin pages. Maybe you'll feel more secure with something like that in place.