httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@six-group.com>
Subject RE: [users@httpd] Re: Fixing HTTP Service / Server Version Detected
Date Wed, 10 Jun 2009 13:10:39 GMT
> -----Original Message-----
> From: Singh, Sukhjeet [mailto:sukhjeet.singh@fiserv.com] 
> Sent: Wednesday, June 10, 2009 2:56 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Re: Fixing HTTP Service / Server 
> Version Detected
> 
> Eric,
> 
> Can you let me know the best possible way to hide this banner.

There is no way, via configuration, to hide it. You can only reduce it
to a minimum by setting the directive in the documentation link you were
sent (you did follow this link, didn't you?)

If you are really determined, you can remove it in the source code and
recompile (search for "ServerTokens"). Alternatively some application
firewall might be able to filter out this response header.

However, as Dan has said, every attacker just blindly attacks every
server with every exploit. They do not waste time "testing" to try to
match exploit to server. If they did it would be great! - we could all
just masquerade our servers as "Dreadnought Unbreakable Server" and
hackers would all have to give up. The warning you have seen is just a
stock message that security consultants wheel out to make it look like
they are doing something.

There was originally a good reason for the server signature - in the
early days, different browsers and servers had slightly different
capabilities and it was useful if each could identify the other in order
to work-around known bugs and features. However, nowadays everything
does everything and it probably doesn't matter any more.

Having said all that, I hear that future versions of apache might have a
directive allowing you to put "Bob's Handy Dandy Server" in there.. so
maybe just wait a while.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> Sukhjeet
> 
> -----Original Message-----
> From: Dan Poirier [mailto:poirier@pobox.com] 
> Sent: Wednesday, June 10, 2009 6:05 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: Fixing HTTP Service / Server 
> Version Detected
> 
> Eric Covener <covener@gmail.com> writes:
> 
> > On Wed, Jun 10, 2009 at 7:53 AM, Singh, Sukhjeet
> > <sukhjeet.singh@fiserv.com> wrote:
> >> The server allows capture of the HTTP service banner. 
> Service banners
> can
> >> contain sensitive information, such as application and Operating
> System (OS)
> >> version numbers. An attacker can use the version information from
> your Web
> >> server to determine if there are any known vulnerabilities present,
> or can
> >> use such information to create attacks towards the specific
> application or
> >> OS.
> >
> > http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
> 
> Sukhjeet, you can hide this information, but I wouldn't think it would
> make your server any more secure.  Most attackers will 
> probably just try
> a bunch of known vulnerabilities without even looking at the OS and
> version.
> 
> -- 
> Dan Poirier <poirier@pobox.com>
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. If you receive this message in error, please notify the
sender urgently and then immediately delete the message and any copies of it from your system.
Please also immediately destroy any hardcopies of the message. 
The sender's company reserves the right to monitor all e-mail communications through their
networks.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message