You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jagunet.com> on 2004/01/13 14:53:38 UTC

Proposal: Allow ServerTokens to specify Server header completely

I'd like to get some sort of feedback concerning the idea
of having ServerTokens not only "adjust" what Apache
sends in the Server header, but also allow the directive
to fully set that info.

For example: ServerTokens Set Aporche/3.5
would cause Apache to send Aporche/3.5 as the
Server header. Some people want to be able to "totally"
obscure the server type.

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Colm MacCarthaigh <co...@stdlib.net>.

On Tue, Jan 13, 2004 at 03:04:30PM +0100, Lars Eilebrecht wrote:
> - It's only security by obscurity and providing such a
>   "security feature" may be misleading for our users.
> - We don't want people to obfuscate the server name, do we?

It's a terrible terrible terrible idea, and makes auditing your
own network much much harder, but it's really a decision for
administrators to make - if they want to shoot themselves in the
foot, let them :)

> If people really want to change it they can always do
> that at compile time, but we should not encourage it
> by providing a configuration directive for it.

Most admins never compile apache :)

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Lars Eilebrecht <la...@hyperreal.org>.

According to Jim Jagielski:

> I'd like to get some sort of feedback concerning the idea
> of having ServerTokens not only "adjust" what Apache
> sends in the Server header, but also allow the directive
> to fully set that info.

I tend to be -1 on this for the following reasons:

- It's only security by obscurity and providing such a
  "security feature" may be misleading for our users.
- We don't want people to obfuscate the server name, do we?

If people really want to change it they can always do
that at compile time, but we should not encourage it
by providing a configuration directive for it.


ciao...
-- 
Lars Eilebrecht            - Don't use no double negatives, not never.
lars@hyperreal.org

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Mads Toftum <ma...@toftum.dk>.

On Tue, Jan 13, 2004 at 08:53:38AM -0500, Jim Jagielski wrote:
> I'd like to get some sort of feedback concerning the idea
> of having ServerTokens not only "adjust" what Apache
> sends in the Server header, but also allow the directive
> to fully set that info.
> 
> For example: ServerTokens Set Aporche/3.5
> would cause Apache to send Aporche/3.5 as the
> Server header. Some people want to be able to "totally"
> obscure the server type.

I must say that I'm no fan of making such a change - why should
we help people do that? To quote the FAQ -

This is not advised, as it is almost certain not to provide you 
with the added security you think that you are gaining. The 
exact method of doing this is left as an exercise for the reader,
as we are not keen on helping you do something that is 
intrinsically a bad idea.

I agree with the faq - there is no good reason to change that,
so let's not help.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Cliff Woolley <jw...@virginia.edu>.

On Mon, 26 Jan 2004, Aaron Bannert wrote:

> I think one should have to change the source code in order to
> have this level of control over the Server: header.

I strongly agree.

--Cliff

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Aaron Bannert <aa...@clove.org>.

On Tue, Jan 13, 2004 at 02:04:06PM +0000, Ivan Ristic wrote:
> Jim Jagielski wrote:
> 
> >I'd like to get some sort of feedback concerning the idea
> >of having ServerTokens not only "adjust" what Apache
> >sends in the Server header, but also allow the directive
> >to fully set that info.
> >
> >For example: ServerTokens Set Aporche/3.5
> >would cause Apache to send Aporche/3.5 as the
> >Server header. Some people want to be able to "totally"
> >obscure the server type.
> 
>   I like the idea. Right now you either have to
>   change the source code or use mod_security to achieve
>   this, but I think the feature belongs to the server core.
> 
>   But I think a new server directive is a better solution.

I think one should have to change the source code in order to
have this level of control over the Server: header.

-aaron

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Lars Eilebrecht <la...@hyperreal.org>.

According to Ivan Ristic:

>   I recently changed the signature of the Apache running on
>   modsecurity.org (to pretend to be IIS5). As a result, I've started
>   getting more IIS-related attacks than before. So, the signature
>   does matter.

I'm getting IIS-related attacks on my servers even without
confguring an ISS server header.

If everyone starts changing the server header to some funny
name or to remove it completely, newer exploit tools won't
bother to check it at all, but just try to exploit the server.

ciao...
-- 
Lars Eilebrecht                   - Quoting one is plagiarism.
lars@hyperreal.org                 - Quoting many is research.

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Colm MacCarthaigh <co...@stdlib.net>.

On Tue, Jan 13, 2004 at 03:28:24PM +0000, Ivan Ristic wrote:
>   Also, imagine I have a PHP application (I chose PHP because
>   it runs on Windows and on Unix), and that someone is trying
>   to find a hole in the app. If they think I'm running Windows
>   they'll try to run Windows-specific attempts, completely
>   missing the point (I know about OS fingerprinting but a typical
>   Web attacker doesn't).

If you need to worry about the typical web attacker, you're in
big trouble. The typical web attacker is inept, capable mostly
of mindless regurgitation with the efforts of others. If you 
havn't defended against this vector; give up. A lot of them won't even
know what a server-token is.

If the attacker is in any way motivated or adept, they'll know about
whisker et al and changing the token will represent a minor curiousity -
but nothing else.

>   Changing the server signature is a small benefit, but one of
>   many you can have.

I'm utterly convinced that in 99% of circumstances it's of negative
security benifit. You gain pretty much nothing, and lose the ability
to telnet port 80 throughout your subnet and then reliably assess 
what you need to upgrade.

Where changing it would be useful is if you want to encode even 
more useful information easily, available for audit. Or if you're
and old-time show-off and just want to have a cool banner like
"EvilServer 3.1" that may impress the odd kid who can figure out
how to telnet port 80 :)

>   But, at the end of the day, I think sysadmins should be the ones
>   making the decision, with programmers giving them... rope :)

Absolutely! For good or for bad a lot of people want the ability.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Ivan Ristic <iv...@webkreator.com>.

>>   I recently changed the signature of the Apache running on
>>   modsecurity.org (to pretend to be IIS5). As a result, I've started
>>   getting more IIS-related attacks than before. So, the signature
>>   does matter.
> 
> And what was the security advantage?

   Smaller number of attack attempts made specifically against
   my configuration. Would-be attackers going somewhere else
   to play.

   Also, imagine I have a PHP application (I chose PHP because
   it runs on Windows and on Unix), and that someone is trying
   to find a hole in the app. If they think I'm running Windows
   they'll try to run Windows-specific attempts, completely
   missing the point (I know about OS fingerprinting but a typical
   Web attacker doesn't).

   Changing the server signature is a small benefit, but one of
   many you can have.

   But, at the end of the day, I think sysadmins should be the ones
   making the decision, with programmers giving them... rope :)

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by André Malo <nd...@perlig.de>.

* Ivan Ristic <iv...@webkreator.com> wrote:

> 
> >>   I like the idea. Right now you either have to
> >>   change the source code or use mod_security to achieve
> >>   this, but I think the feature belongs to the server core.
> >>
> >>   But I think a new server directive is a better solution.
> > 
> > As Lars said (and I agree), it has nothing to do with security. Why do you
> > provide such a "feature" then?
> 
>    Because I believe that changing the signature prevents some
>    automated tools from attacking the server.
> 
>    I recently changed the signature of the Apache running on
>    modsecurity.org (to pretend to be IIS5). As a result, I've started
>    getting more IIS-related attacks than before. So, the signature
>    does matter.

And what was the security advantage?

nd

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Chip Cuccio <ch...@norlug.org>.

* On Tue, Jan 13, 2004 at 02:25:36PM +0000, Ivan Ristic wrote:
>   Because I believe that changing the signature prevents some
>   automated tools from attacking the server.

This is a valid point.

>   I recently changed the signature of the Apache running on
>   modsecurity.org (to pretend to be IIS5). As a result, I've started
>   getting more IIS-related attacks than before. So, the signature
>   does matter.

Exactly. In an enterprise where I am responsible for 1000+ web
servers, we ran metrics to see the ratios in which servers' signatures
were "examined". Not to be anti-IIS or anything, but the scans against IIS
outweighed the Apache scans in the range of 8:1, or somewhere in those
lines.

I also would like to say that the majority of those (Apache) metrics
exhibited more "examinations" which were specific to code
vulnerabilities, not server-specific vulnerabilities.

To close, I don't think adding any type of directive to falsify
SERVER_SOFTWARE would be of any benefit, except to add a false sense
of security.

-- 
Chip Cuccio                    |  chipster[at]norlug[.]org
NORLUG VP and Sysadmin         |  <http://norlug.org/~chipster/>
Northfield Linux Users' Group  |  Northfield, Minnesota USA

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Ivan Ristic <iv...@webkreator.com>.

>>   I like the idea. Right now you either have to
>>   change the source code or use mod_security to achieve
>>   this, but I think the feature belongs to the server core.
>>
>>   But I think a new server directive is a better solution.
> 
> As Lars said (and I agree), it has nothing to do with security. Why do you
> provide such a "feature" then?

   Because I believe that changing the signature prevents some
   automated tools from attacking the server.

   I recently changed the signature of the Apache running on
   modsecurity.org (to pretend to be IIS5). As a result, I've started
   getting more IIS-related attacks than before. So, the signature
   does matter.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by André Malo <nd...@perlig.de>.

* Ivan Ristic <iv...@webkreator.com> wrote:

>    I like the idea. Right now you either have to
>    change the source code or use mod_security to achieve
>    this, but I think the feature belongs to the server core.
> 
>    But I think a new server directive is a better solution.

As Lars said (and I agree), it has nothing to do with security. Why do you
provide such a "feature" then?

As you may have guessed, I'm -1 on the idea as well :)

nd

Re: Proposal: Allow ServerTokens to specify Server header completely

Posted by Ivan Ristic <iv...@webkreator.com>.

Jim Jagielski wrote:

> I'd like to get some sort of feedback concerning the idea
> of having ServerTokens not only "adjust" what Apache
> sends in the Server header, but also allow the directive
> to fully set that info.
> 
> For example: ServerTokens Set Aporche/3.5
> would cause Apache to send Aporche/3.5 as the
> Server header. Some people want to be able to "totally"
> obscure the server type.

   I like the idea. Right now you either have to
   change the source code or use mod_security to achieve
   this, but I think the feature belongs to the server core.

   But I think a new server directive is a better solution.

   ...

   BTW, I've recently joined the dev@httpd.apache.org mailing
   list to observe how things are done here. In the long run,
   I would like to start contributing to the Apache web server,
   on the security side of things.

   I've been doing this from the outside with the mod_security
   module, but there are some things that are better done from
   the inside.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]