You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Loc Nguyen <lo...@piniongroup.com> on 2003/04/12 01:47:57 UTC
[users@httpd] Setup HTTP server
Hi all,
I am running an Apache web server version 1.3.26 on Debian Linux.
By default, the web server returns the server version as "Server:
Apache/1.3.26 (Unix) Debian GNU/Linux". Can I change this to say
something like "Server: Webserver" ? I don't want to give out too much
information about the web server.
Another question: When I telnet to the web server and issuing "OPTIONS
*" method, I get back "Allow: GET, HEAD, OPTIONS, TRACE". Can I reject
the OPTIONS method request with a 400 Bad Request error message ?
Thank you for your help in advance.
Loc Nguyen
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Setup HTTP server
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 11 Apr 2003, Loc Nguyen wrote:
> I am doing this because there is a lot of hacker is using the result of
> the OPTIONS method to fingerprint the web server. Dropping this
> information help to protect the server a little bit more.
>
Not really. The way to protect your server is to keep it secure, not to
hide insecurity. Dropping OPTIONS just makes your server less useful.
Trying to hide the identify of your server doesn't help because:
1. Stupid skript-kiddies don't really care what you are running. They
just try every hack against every IP address they can find.
2. Smart crackers will be able to find information about your server in
hundreds of different ways with or without OPTIONS.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Setup HTTP server
Posted by Loc Nguyen <lo...@piniongroup.com>.
I am doing this because there is a lot of hacker is using the result of
the OPTIONS method to fingerprint the web server. Dropping this
information help to protect the server a little bit more.
I will try your recommendation.
Thanks a lot.
Loc Nguyen
On Fri, 2003-04-11 at 16:58, Joshua Slive wrote:
>
> On Fri, 11 Apr 2003, Loc Nguyen wrote:
> > I am running an Apache web server version 1.3.26 on Debian Linux.
> > By default, the web server returns the server version as "Server:
> > Apache/1.3.26 (Unix) Debian GNU/Linux". Can I change this to say
> > something like "Server: Webserver" ? I don't want to give out too much
> > information about the web server.
> >
> > Another question: When I telnet to the web server and issuing "OPTIONS
> > *" method, I get back "Allow: GET, HEAD, OPTIONS, TRACE". Can I reject
> > the OPTIONS method request with a 400 Bad Request error message ?
>
> Seems like a silly thing to do with your time. How is this at all
> dangerous?
>
> Anyway, have you tried
>
> <Location />
> <Limit OPTIONS>
> Order allow,deny
> Deny from all
> </Limit>
> </Location>
>
> This will give you a 403 rather than a 400, but sending back a 400 in this
> case seems to me like a violation of the HTTP standards.
>
> Joshua
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Setup HTTP server
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 11 Apr 2003, Loc Nguyen wrote:
> I am running an Apache web server version 1.3.26 on Debian Linux.
> By default, the web server returns the server version as "Server:
> Apache/1.3.26 (Unix) Debian GNU/Linux". Can I change this to say
> something like "Server: Webserver" ? I don't want to give out too much
> information about the web server.
>
> Another question: When I telnet to the web server and issuing "OPTIONS
> *" method, I get back "Allow: GET, HEAD, OPTIONS, TRACE". Can I reject
> the OPTIONS method request with a 400 Bad Request error message ?
Seems like a silly thing to do with your time. How is this at all
dangerous?
Anyway, have you tried
<Location />
<Limit OPTIONS>
Order allow,deny
Deny from all
</Limit>
</Location>
This will give you a 403 rather than a 400, but sending back a 400 in this
case seems to me like a violation of the HTTP standards.
Joshua
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Setup HTTP server
Posted by Jeff Cohen <li...@gej-it.com>.
The docs saying:
"ServerTokens
This directive configures what you return as the Server HTTP response
Header. The default is 'Full' which sends information about the OS-Type
and compiled in modules.
Set to one of: Full | OS | Minor | Minimal | Major | Prod
where Full conveys the most information, and Prod the least."
All the best,
Jeff Cohen
> -----Original Message-----
> From: Loc Nguyen [mailto:loc@piniongroup.com]
> Sent: Friday, April 11, 2003 7:48 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Setup HTTP server
>
>
> Hi all,
>
> I am running an Apache web server version 1.3.26 on Debian Linux.
> By default, the web server returns the server version as "Server:
> Apache/1.3.26 (Unix) Debian GNU/Linux". Can I change this to say
> something like "Server: Webserver" ? I don't want to give out too much
> information about the web server.
>
> Another question: When I telnet to the web server and issuing "OPTIONS
> *" method, I get back "Allow: GET, HEAD, OPTIONS, TRACE". Can I reject
> the OPTIONS method request with a 400 Bad Request error message ?
>
>
> Thank you for your help in advance.
>
> Loc Nguyen
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org