|
|
 
Like the needy stranger who tells us his or her entire life story on
the occassion of our first meeting, Apache spews out way too much information
in every HTTP header. And like the unscrupulous sharpies who take advantage
of lonely folks they meet on buses, there are those who would use this
information to attack your system!
The default with Apache 1 and 2 is to send out information about the Server,
Version, OS, and all modules compiled in. On a Red Hat system with the
Apache 1.3.x RPM installed, it looks like this:
[usr-3@felix n]$ curl -s -I http://blahblah.com
HTTP/1.1 200 OK
Date: Fri, 11 Jul 2003 23:26:51 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2
Last-Modified: Thu, 10 Jul 2003 14:53:52 GMT
ETag: "8019e-d2af-3f0d7e00"
Accept-Ranges: bytes
Content-Length: 53935
Connection: close
Content-Type: text/html
|
We couldn't make it much easier to fingerprint our system, and to simplify
automated attacks which scan for vulnerable versions of Apache or its modules.
Luckily, the solution is just one simple directive away! Simply add
the ServerTokens directive to your httpd.conf file, in the global configuration section. This directive, like ServerType, *only* applies globally. It cannot
be applied to individual virtual hosts. There are a range of options for
this directive which range from the chatty verbosity seen above ("Full")
to a simple one-word response, which we prefer and have implemented by
adding the following line to our httpd.conf:
ServerTokens Prod
Which makes our headers look like this:
[usr-3@felix n]$ curl -s -I http://blahblah.com
HTTP/1.1 200 OK
Date: Fri, 11 Jul 2003 23:43:51 GMT
Server: Apache
Last-Modified: Thu, 10 Jul 2003 14:53:52 GMT
ETag: "8019e-d2af-3f0d7e00"
Accept-Ranges: bytes
Content-Length: 53935
Connection: close
Content-Type: text/html
|
Just one less piece of easy prey for the sharks.
|
|
