You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Taco Fleur <ta...@nella.net.au> on 2004/01/25 22:27:56 UTC
[users@httpd] Stop Apache from reporting version number anywhere..
How can I stop Apache from returning the version number anywhere?
For example on error messages etc.
Taco Fleur
Blog <http://www.tacofleur.com/index/blog/>
http://www.tacofleur.com/index/blog/
Methodology http://www.tacofleur.com/index/methodology/
0421 851 786
Tell me and I will forget
Show me and I will remember
Teach me and I will learn
RE: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Taco Fleur <ta...@nella.net.au>.
What are other peoples thoughts on this?
I personally reckon, that those who use automated tools are script kiddies,
i.e. not real crackers - I believe real Crackers will want to stay under the
radar and therefore perform aimed attacks instead of flooding the server
with requests that might disclose a security hole. For those aimed and
controlled attacks they first require as much info about you as possible.
But as you say I also see the flipside to it, and when not returning any of
this info people get curious, but still, I reckon only curious enough if
they know what they can expect on the other-side, i.e. a bank.
My 2cents
> -----Original Message-----
> From: Dan Trainor [mailto:dant@cavecreek.net]
> Sent: Monday, 26 January 2004 2:44 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Stop Apache from reporting version
> number anywhere..
>
>
> It's been our experience that the attack will happen regardless of
> software version. Most attacks now are automated, by bots,
> doing sweep
> on subnets and such. It's rare anymore, in terms of numbers, to find
> one single guy trying to take out one single site.
>
> Go ahead and give them your "bank name and account number". If you
> don't want them to have that, hop off the internet. You have
> to realize
> that they've already "got it". Numbers will show you that it
> was done
> in an automated process.
>
> I would imagine that this would also throw off some sort of
> red flag for
> the attacker or attack process. I know I'd be curious if I
> diddn't get
> back a version when I expected to see one.
>
> -dant
>
>
> Taco Fleur wrote:
>
> >I don't think you understand one bit - I am not deluding myself and
> >thinking it will give me security, what I do know is that I am not
> >handing any info that will help them...
> >
> >You hand them all the info you want, I'll try and hand as
> less possible
> >info as I can, everyone happy.
> >
> >Taco Fleur
> >Blog http://www.tacofleur.com/index/blog/
> >Methodology http://www.tacofleur.com/index/methodology/
> >0421 851 786
> >Tell me and I will forget
> >Show me and I will remember
> >Teach me and I will learn
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: Brian Dessent [mailto:brian@dessent.net]
> >>Sent: Monday, 26 January 2004 2:06 PM
> >>To: users@httpd.apache.org
> >>Subject: Re: [users@httpd] Stop Apache from reporting version
> >>number anywhere..
> >>
> >>
> >>Taco Fleur wrote:
> >>
> >>
> >>
> >>>I didn't think it would patch any security holes.
> >>>
> >>>I don't agree with what you are saying, I believe displaying the
> >>>webserver software and version is like giving someone my
> Bank name,
> >>>account type and branch address, all they need to find out
> >>>
> >>>
> >>is what my
> >>
> >>
> >>>PIN is.
> >>>
> >>>
> >>It's giving them info that they will have regardless of
> >>whether you tell them or not. If you honestly think someone
> >>is going to probe your server and see the 'Header:' string
> >>that doesn't contain a version number, and then say "Well, so
> >>much for that, I guess he's not vulnerable" then you are
> >>seriously deluding yourself. When someone wants to know if
> >>your server is vulnerable to an exploit, they try the
> >>exploit. They don't go by what version the server reports.
> >>And if you seriously think that the only way to identify the
> >>server software and version is by looking at the 'Header:'
> >>field then you really need to read up on the security field.
> >>
> >>This is especially true in the age of packporting. The
> >>redhat apache version is still 2.0.40, but they've backported
> >>all of the serious flaws from the current .48. So if an
> >>attacker was scanning simply based on version numbers they
> >>would have tons and tons of false positives for all those
> >>Redhat systems out there. In other words, attackers are not
> >>fooled by what that header says. Not displaying a version
> >>number is not going to deter anyone.
> >>
> >>Feel free to hide the version number if you really want to,
> >>but DON'T delude yourself into thinking that it affords you
> >>some degree of security. If you have vulnerabilities you
> >>need to fix them, period.
> >>Changing the version string is not insurance against anything.
> >>
> >>Brian
> >>
> >>------------------------------------------------------------
> ---------
> >>The official User-To-User support forum of the Apache HTTP
> >>Server Project. See
> >><URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >>
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server
> >Project. See <URL:http://httpd.apache.org/userslist.html> for more
> >info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project. See
> <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Dan Trainor <da...@cavecreek.net>.
It's been our experience that the attack will happen regardless of
software version. Most attacks now are automated, by bots, doing sweep
on subnets and such. It's rare anymore, in terms of numbers, to find
one single guy trying to take out one single site.
Go ahead and give them your "bank name and account number". If you
don't want them to have that, hop off the internet. You have to realize
that they've already "got it". Numbers will show you that it was done
in an automated process.
I would imagine that this would also throw off some sort of red flag for
the attacker or attack process. I know I'd be curious if I diddn't get
back a version when I expected to see one.
-dant
Taco Fleur wrote:
>I don't think you understand one bit - I am not deluding myself and thinking
>it will give me security, what I do know is that I am not handing any info
>that will help them...
>
>You hand them all the info you want, I'll try and hand as less possible info
>as I can, everyone happy.
>
>Taco Fleur
>Blog http://www.tacofleur.com/index/blog/
>Methodology http://www.tacofleur.com/index/methodology/
>0421 851 786
>Tell me and I will forget
>Show me and I will remember
>Teach me and I will learn
>
>
>
>
>>-----Original Message-----
>>From: Brian Dessent [mailto:brian@dessent.net]
>>Sent: Monday, 26 January 2004 2:06 PM
>>To: users@httpd.apache.org
>>Subject: Re: [users@httpd] Stop Apache from reporting version
>>number anywhere..
>>
>>
>>Taco Fleur wrote:
>>
>>
>>
>>>I didn't think it would patch any security holes.
>>>
>>>I don't agree with what you are saying, I believe displaying the
>>>webserver software and version is like giving someone my Bank name,
>>>account type and branch address, all they need to find out
>>>
>>>
>>is what my
>>
>>
>>>PIN is.
>>>
>>>
>>It's giving them info that they will have regardless of
>>whether you tell them or not. If you honestly think someone
>>is going to probe your server and see the 'Header:' string
>>that doesn't contain a version number, and then say "Well, so
>>much for that, I guess he's not vulnerable" then you are
>>seriously deluding yourself. When someone wants to know if
>>your server is vulnerable to an exploit, they try the
>>exploit. They don't go by what version the server reports.
>>And if you seriously think that the only way to identify the
>>server software and version is by looking at the 'Header:'
>>field then you really need to read up on the security field.
>>
>>This is especially true in the age of packporting. The
>>redhat apache version is still 2.0.40, but they've backported
>>all of the serious flaws from the current .48. So if an
>>attacker was scanning simply based on version numbers they
>>would have tons and tons of false positives for all those
>>Redhat systems out there. In other words, attackers are not
>>fooled by what that header says. Not displaying a version
>>number is not going to deter anyone.
>>
>>Feel free to hide the version number if you really want to,
>>but DON'T delude yourself into thinking that it affords you
>>some degree of security. If you have vulnerabilities you
>>need to fix them, period.
>>Changing the version string is not insurance against anything.
>>
>>Brian
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project. See
>><URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Taco Fleur <ta...@nella.net.au>.
I don't think you understand one bit - I am not deluding myself and thinking
it will give me security, what I do know is that I am not handing any info
that will help them...
You hand them all the info you want, I'll try and hand as less possible info
as I can, everyone happy.
Taco Fleur
Blog http://www.tacofleur.com/index/blog/
Methodology http://www.tacofleur.com/index/methodology/
0421 851 786
Tell me and I will forget
Show me and I will remember
Teach me and I will learn
> -----Original Message-----
> From: Brian Dessent [mailto:brian@dessent.net]
> Sent: Monday, 26 January 2004 2:06 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Stop Apache from reporting version
> number anywhere..
>
>
> Taco Fleur wrote:
>
> > I didn't think it would patch any security holes.
> >
> > I don't agree with what you are saying, I believe displaying the
> > webserver software and version is like giving someone my Bank name,
> > account type and branch address, all they need to find out
> is what my
> > PIN is.
>
> It's giving them info that they will have regardless of
> whether you tell them or not. If you honestly think someone
> is going to probe your server and see the 'Header:' string
> that doesn't contain a version number, and then say "Well, so
> much for that, I guess he's not vulnerable" then you are
> seriously deluding yourself. When someone wants to know if
> your server is vulnerable to an exploit, they try the
> exploit. They don't go by what version the server reports.
> And if you seriously think that the only way to identify the
> server software and version is by looking at the 'Header:'
> field then you really need to read up on the security field.
>
> This is especially true in the age of packporting. The
> redhat apache version is still 2.0.40, but they've backported
> all of the serious flaws from the current .48. So if an
> attacker was scanning simply based on version numbers they
> would have tons and tons of false positives for all those
> Redhat systems out there. In other words, attackers are not
> fooled by what that header says. Not displaying a version
> number is not going to deter anyone.
>
> Feel free to hide the version number if you really want to,
> but DON'T delude yourself into thinking that it affords you
> some degree of security. If you have vulnerabilities you
> need to fix them, period.
> Changing the version string is not insurance against anything.
>
> Brian
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project. See
> <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Brian Dessent <br...@dessent.net>.
Taco Fleur wrote:
> I didn't think it would patch any security holes.
>
> I don't agree with what you are saying, I believe displaying the webserver
> software and version is like giving someone my Bank name, account type and
> branch address, all they need to find out is what my PIN is.
It's giving them info that they will have regardless of whether you tell
them or not. If you honestly think someone is going to probe your
server and see the 'Header:' string that doesn't contain a version
number, and then say "Well, so much for that, I guess he's not
vulnerable" then you are seriously deluding yourself. When someone
wants to know if your server is vulnerable to an exploit, they try the
exploit. They don't go by what version the server reports. And if you
seriously think that the only way to identify the server software and
version is by looking at the 'Header:' field then you really need to
read up on the security field.
This is especially true in the age of packporting. The redhat apache
version is still 2.0.40, but they've backported all of the serious flaws
from the current .48. So if an attacker was scanning simply based on
version numbers they would have tons and tons of false positives for all
those Redhat systems out there. In other words, attackers are not
fooled by what that header says. Not displaying a version number is not
going to deter anyone.
Feel free to hide the version number if you really want to, but DON'T
delude yourself into thinking that it affords you some degree of
security. If you have vulnerabilities you need to fix them, period.
Changing the version string is not insurance against anything.
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Taco Fleur <ta...@nella.net.au>.
> Because hiding your version number doesn't do anything to
> patch security holes. You are 100% as vulnerable to whatever
> vulnerabilities you may have regardless of what version
> number your server advertises. It's not going to stop you
> from being hacked, if that's what you were thinking.
> An analogy would be placing a post-it note on your front door
> that says "There is no big-screen TV inside." when any
> burglar can see plainly in your front window that in fact
> there is a large big-screen TV sitting right there in the living room.
I didn't think it would patch any security holes.
I don't agree with what you are saying, I believe displaying the webserver
software and version is like giving someone my Bank name, account type and
branch address, all they need to find out is what my PIN is.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Brian Dessent <br...@dessent.net>.
Taco Fleur wrote:
>
> > You can do this with the 'ServerTokens' parameter (not
> > 'ServerSignature', BTW, which doesn't affect the 'Server'
> > header and other locations where it's printed.)
>
> It worked, I set the ServerSignature to off and the software version and
> webserver type did not appear on the 404 pages anymore.
It's still being sent with every single request in the 'Server' header.
> > But, if you think that by doing this you're increasing
> > security you're just wasting your time.
>
> Why is that do you reckon?
Because hiding your version number doesn't do anything to patch security
holes. You are 100% as vulnerable to whatever vulnerabilities you may
have regardless of what version number your server advertises. It's not
going to stop you from being hacked, if that's what you were thinking.
An analogy would be placing a post-it note on your front door that says
"There is no big-screen TV inside." when any burglar can see plainly in
your front window that in fact there is a large big-screen TV sitting
right there in the living room.
> And what exactly does the ServerTokens do?
The Apache documentation team doesn't write manuals just for the heck of
it you know. http://httpd.apache.org/docs/mod/core.html#servertokens
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Taco Fleur <ta...@nella.net.au>.
> You can do this with the 'ServerTokens' parameter (not
> 'ServerSignature', BTW, which doesn't affect the 'Server'
> header and other locations where it's printed.)
It worked, I set the ServerSignature to off and the software version and
webserver type did not appear on the 404 pages anymore.
> But, if you think that by doing this you're increasing
> security you're just wasting your time.
Why is that do you reckon?
And what exactly does the ServerTokens do?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Brian Dessent <br...@dessent.net>.
> Taco Fleur wrote:
>
> How can I stop Apache from returning the version number anywhere?
> For example on error messages etc.
You can do this with the 'ServerTokens' parameter (not
'ServerSignature', BTW, which doesn't affect the 'Server' header and
other locations where it's printed.)
But, if you think that by doing this you're increasing security you're
just wasting your time.
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Stop Apache from reporting version number anywhere..
Posted by Jason D <ja...@codepanzyz.com>.
MessageSearch your httpd.conf for " ServerSignature " . Turn that to off, this will stop it from showing in error messages.
----- Original Message -----
From: Taco Fleur
To: users@httpd.apache.org
Sent: Sunday, January 25, 2004 1:27 PM
Subject: [users@httpd] Stop Apache from reporting version number anywhere..
How can I stop Apache from returning the version number anywhere?
For example on error messages etc.
Taco Fleur
Blog http://www.tacofleur.com/index/blog/
Methodology http://www.tacofleur.com/index/methodology/
0421 851 786
Tell me and I will forget
Show me and I will remember
Teach me and I will learn