Feature #3710
closed
Added by Rafal Kupiec about 9 years ago.
Updated almost 7 years ago.
Description
Please implement the ability to change the way how tvh introduces itself. Thus, scanning ports, trying to connect should not give potential attacker the real software name and its version. Please at least implement this for HTTP protocol, do that services like shodan will stop recognizing tvh. It will be harder to find a server with tvh running.
- Status changed from New to Rejected
Use --useragent configuration option..
- Status changed from Rejected to New
Oops. Sorry, it's for http client - not server.
Yep,
nginx has an option:
more_set_headers 'Server: XYZ';
and it will introduce itself as XYZ instead of nginx.
Would be nice to see such option in TVH too.
- Target version set to 4.4
Really 4.4? Doesn't seem to be so time-consuming to implement this.
Many TVH installations can be found on Shodan. Having such option, everyone could change the way TVH introduces itself, thus trying to hide application from abusive users.
- Status changed from New to Fixed
- % Done changed from 0 to 100
Applied in changeset commit:tvheadend|816fdb93a2ff84769d5491b7fb0071d4c5f4386c.
Is realm also modified?
WWW-Authenticate: Digest realm="tvheadend"
Shodan users still can see that...
It is not, its still asking for password as 'tvheadend' and we cannot modify it.
IMHO This feature request is not implements as expected.
Fixed in v4.3-135-ge0a31ac .
Hi,
This change doesn't apply to the name advertized with the RTSP port (SAT>IP protocol).
Perhaps, it will be useful to use the configuration name also with this protocol.
I also see:
Location: extjs.html
on Shodan for tvheadend servers, is it possible to also hide this? Or is need for webui works or something?
Regards.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by