httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Changing "Server: Apache" header to user defined header
Date Tue, 09 Dec 2003 12:35:32 GMT
> -----Original Message-----
> From: Tom Welsh [mailto:twelsh@square-box.com]
> 
> What I want to do is remove ....... 
> 
> Server: Apache 
> 
>  From the http header and replace it with 
> 
> Server: Some corp stuff 
> 
> The reason behind this is to make it harder to identify the 
> server type. 

And the reason for that would be...

This is the biggest wild-goose chase on this mailing list. Server type
and version are absolutely no use at all to hackers if the server is
properly patched and secured. If it isn't, then hiding your signature is
no security at all and you'd be better spending your time and energy on
real security.

Anyway, to cut to the chase, you have to hack the source and recompile.

- apache 1.3: src/include/httpd.h (SERVER_BASEPRODUCT)
- apache 2: include/ap_release.h (AP_SERVER_BASE_PRODUCT)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 



>I 
> know that doing other penetration testing techniques you can 
> still identify 
> the server and simply running an apache vulnarability will show it as 
> apache. But thats what we want 
> 
> I have tried mod_header but I still get  "Server:Apache" if 
> an error is 
> generated. Looking at mod_header for apache 1.3.x you could 
> handle this with 
> the ErrorHeader directive but this seems to have been removed for the 
> version used in Apache 2.0.X 
> 
> What i think I'll need to do is change it in the code but not being a 
> programer I dont know how to. I believe it lives in core.c 
> but looking there 
> I cant find it. 
> 
> Can anyone send me the code diff that i'd need to run against 
> httpd-2.0.48 
> sources to facilitate this. 
> 
> I'm sure im not the only one who wants to do this. Am I? 
> 
> I did change it on linux but I used sed and replaced the 
> string with my own 
> string. Unfortunatly this hack didnt work on solaris :( 
> 
> Heres the hack if anyone is intrested 
> 
> Before you do this, consider the following: 
> 
> 1. Make sure you know the apache version number and 
> substitute that in for 
> "VERSION" below (i.e. 1.3.20 yields ...Apache\/1.3.20) 
> 
> 2. Make sure the replacement name is the same number of 
> letters as the first 
> string, noting that "\/" is actually "/" in the file itself - 
> its escaped. 
> I.e.: 
> 
>      "Apache/1.3.20" (13 characters) could map to "MAPMAPMAPMAPM" (13 
> characters) 
> 
> 3. Similarly, you can use spaces to pad out, but you CAN NOT 
> exceed the 
> initial character count. Unless you want to perform a server 
> recompile, this 
> is the quickest and easiest way of doing things 
> 
> 4. This is a nasty hack, but it works on Linux systems. Take 
> the apache 
> binary (usually /usr/sbin/httpd on RedHat default installs) 
> and run this 
> command on it: 
> 
> sed -e "s:Apache\/VERSION:REPLACEMENT_NAME:g" httpd > new_httpd 
> 
> Stop apache; move new_httpd onto the old httpd, and add "ServerTokens 
> Minimal" to your apache config file 
> 
> Restart apache et voila. 
> 
> 
> Thanks for your help 
> 
> Tom Welsh 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message