You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Shashank Bhide <sh...@biochem.okstate.edu> on 2003/11/17 20:41:11 UTC

[users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

I was curious, it there a way to remove the above (subject) line from
various error outputs? For example, I am using a .htaccess from one of
the directories and if I enter a wrong login and/or password, I get the
standard output "Authorization Required". But there is a line at the end
"Apache/1.3.28 Server at foo.bar.edu Port 80" I would like to remove
this, just as a security feature. 
What are the other errors where would I get this line? Is there a
standard way to remove it? Any help is appreciated.
Thank you
Shashank


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by Jeff White <jl...@earthlink.net>.

From: "Shashank Bhide" 

> newbie to apache). SO now I got myself to 
> ad the security tutorials on Aache web-site. 
> think it will help me understand more about Apache
> security in general. Any additional information about 
> security books on Apache will be greatly appreciated.


<quote>
Covers Apache 1.3
and Apache 2 and 
Windows, Unix and Macs.

A hacker's guide to protecting
your Apache web server.
</quote>

Maximum Apache Security
By Anonymous
Put out by: SAMS Books 
ISBN 0-672-32380-X
June 2002

Jeff



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by Shashank Bhide <sh...@biochem.okstate.edu>.

Okay, I get the gist of this discussion. I need to upgrade to be secure
enough. Also, hiding the signatures don't as much as I had thought (am a
newbie to apache). SO now I got myself to read the security tutorials on
Apache web-site. I think it will help me understand more about Apache
security in general. Any additional information about security books on
Apache will be greatly appreciated.
Thank you all who responded. It was indeed educational.
Regards,
Shashank

-----Original Message-----
From: André Malo [mailto:nd@perlig.de] 
Sent: Tuesday, November 18, 2003 10:53 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

* "Rafael Faura" <rf...@bassy.net> wrote:

> But I do have a problem with people recommending this as a
> security enhancement.  It's not.
> 
> ----------------
> 
> Good for you, i have a different opinion :)

Fine that you don't have a problem with such people ;-) But it doesn't
change the fact (vs. opinion). It's not a security enhancement.

nd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by André Malo <nd...@perlig.de>.

* "Rafael Faura" <rf...@bassy.net> wrote:

> But I do have a problem with people recommending this as a
> security enhancement.  It's not.
> 
> ----------------
> 
> Good for you, i have a different opinion :)

Fine that you don't have a problem with such people ;-) But it doesn't
change the fact (vs. opinion). It's not a security enhancement.

nd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by Rafael Faura <rf...@bassy.net>.

But I do have a problem with people recommending this as a
security enhancement.  It's not.

----------------

Good for you, i have a different opinion :)


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by Joshua Slive <jo...@slive.ca>.

[This thread has pretty-much concluded in my absence, but there are a
couple things here I should really correct.]

On Tue, 18 Nov 2003, Rafael Faura wrote:
> --- Fortunately we aren't talking about IIS ;). My logs are full of IIS
> unicode/decode attempt exploit lines, nothing that can affect Apache. And
> script kiddies, specially script kiddies, have **no idea** about exploiting
> Apache bugs, they only run simple IIS unicode/decode scanners.

Not at all true.  I don't know of any worms targetting the core apache
code, but there have certainly been worms targetting apache together with
certain other programs.  Take the recent OpenSSL worm, for example.

> 2. Smart crackers can easily figure out this information with high
> accuracy regardless of whether you display it publicly.
>
> --- Smart crackers?... well, i suposse that you're talking about smart
> hackers.

See: http://www.catb.org/~esr/jargon/html/C/cracker.html

Personally, I don't have any problem with people mucking with their
ServerSignature and Server: header; you can do what you want with your own
server.  But I do have a problem with people recommending this as a
security enhancement.  It's not.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by Rafael Faura <rf...@bassy.net>.

1. Most compromises are from script kiddies and worms.  They usually try
every possible exploit on every possible host, so they couldn't care less
what your Server header says.

--- Fortunately we aren't talking about IIS ;). My logs are full of IIS
unicode/decode attempt exploit lines, nothing that can affect Apache. And
script kiddies, specially script kiddies, have **no idea** about exploiting
Apache bugs, they only run simple IIS unicode/decode scanners.

2. Smart crackers can easily figure out this information with high
accuracy regardless of whether you display it publicly.

--- Smart crackers?... well, i suposse that you're talking about smart
hackers. Anyway i agreed, there are tools that could check which Apache
version are you using, instead what servertokens and serversignature says
(anyway the **merit** goes to the tool, not to the person that's using it).
But i prefer to not showing that info from the beginning.

3. All you've done is taken away a tool the network administrator could
have used to find easily find insecure hosts to be upgraded.

--- Of course there're more effective ways to protect and secure your Apache
environment, changing servertokens and serversignature is one of them :)


There may be rare cases where not displaying this information could throw
off a stupid and lazy cracker, but you are much better off using your time
to look at real security issues.

--- That's easy. If there are some real security exploits on actual apache
distro you get the fixes from cvs and compile yourself a patched version.


Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by Joshua Slive <jo...@slive.ca>.

On Mon, 17 Nov 2003, Rafael Faura wrote:
> Yes, this is going to improve security, at least more than showing to
> everyone your apache version and compiled modules version (a.k.a "hey, i'm
> using an Apache version that has a well-known bug") :P.

Nope.  We've had this discussion many times on this list.  Because I'm
borred, I'll repeat myself ;-)

1. Most compromises are from script kiddies and worms.  They usually try
every possible exploit on every possible host, so they couldn't care less
what your Server header says.

2. Smart crackers can easily figure out this information with high
accuracy regardless of whether you display it publicly.

3. All you've done is taken away a tool the network administrator could
have used to find easily find insecure hosts to be upgraded.

There may be rare cases where not displaying this information could throw
off a stupid and lazy cracker, but you are much better off using your time
to look at real security issues.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by Rafael Faura <rf...@bassy.net>.


See the directives ServerSignature and ServerTokens in the documentation.
But you're wasting your time if you thing this is going to improve
security.

Joshua.

------------------------------

Yes, this is going to improve security, at least more than showing to
everyone your apache version and compiled modules version (a.k.a "hey, i'm
using an Apache version that has a well-known bug") :P.


Shashank, use these settings on your httpd.conf:

ServerTokens Prod
ServerSignature Off






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache/1.3.28 Server at foo.bar.edu Port 80

Posted by Joshua Slive <jo...@slive.ca>.

On Mon, 17 Nov 2003, Shashank Bhide wrote:

> I was curious, it there a way to remove the above (subject) line from
> various error outputs? For example, I am using a .htaccess from one of
> the directories and if I enter a wrong login and/or password, I get the
> standard output "Authorization Required". But there is a line at the end
> "Apache/1.3.28 Server at foo.bar.edu Port 80" I would like to remove
> this, just as a security feature.
> What are the other errors where would I get this line? Is there a
> standard way to remove it? Any help is appreciated.

See the directives ServerSignature and ServerTokens in the documentation.
But you're wasting your time if you thing this is going to improve
security.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org