You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Welsh <tw...@square-box.com> on 2003/12/09 12:12:13 UTC
[users@httpd] Changing "Server: Apache" header to user defined header
Hi list,
First off let me appologise for this post. I have read the faq and mailing
list searching for the answer but cant find it anywhere.
Im running Solaris 2.8 and apache 2.0.48
What I want to do is remove .......
Server: Apache
From the http header and replace it with
Server: Some corp stuff
The reason behind this is to make it harder to identify the server type. I
know that doing other penetration testing techniques you can still identify
the server and simply running an apache vulnarability will show it as
apache. But thats what we want
I have tried mod_header but I still get "Server:Apache" if an error is
generated. Looking at mod_header for apache 1.3.x you could handle this with
the ErrorHeader directive but this seems to have been removed for the
version used in Apache 2.0.X
What i think I'll need to do is change it in the code but not being a
programer I dont know how to. I believe it lives in core.c but looking there
I cant find it.
Can anyone send me the code diff that i'd need to run against httpd-2.0.48
sources to facilitate this.
I'm sure im not the only one who wants to do this. Am I?
I did change it on linux but I used sed and replaced the string with my own
string. Unfortunatly this hack didnt work on solaris :(
Heres the hack if anyone is intrested
Before you do this, consider the following:
1. Make sure you know the apache version number and substitute that in for
VERSION below (i.e. 1.3.20 yields
Apache\/1.3.20)
2. Make sure the replacement name is the same number of letters as the first
string, noting that \/ is actually / in the file itself its escaped.
I.e.:
Apache/1.3.20 (13 characters) could map to MAPMAPMAPMAPM (13
characters)
3. Similarly, you can use spaces to pad out, but you CAN NOT exceed the
initial character count. Unless you want to perform a server recompile, this
is the quickest and easiest way of doing things
4. This is a nasty hack, but it works on Linux systems. Take the apache
binary (usually /usr/sbin/httpd on RedHat default installs) and run this
command on it:
sed -e "s:Apache\/VERSION:REPLACEMENT_NAME:g" httpd > new_httpd
Stop apache; move new_httpd onto the old httpd, and add ServerTokens
Minimal to your apache config file
Restart apache et voila.
Thanks for your help
Tom Welsh
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org