httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard de Vries <richard_devr...@yahoo.com>
Subject Re: [users@httpd] Removing or overwriting "Server" header field.
Date Wed, 24 Jan 2007 20:35:23 GMT
Joshua, that is not entirely true.

By making believe you're running a different webserver
than you really are ... you can  potentionally buy
yourself some valuable time.

If an attacker wants to attack/criple your site,
he/she will most likely first try all known
vulnerabilities for that webserver first. 

So, if you make it appear you're running IIS, while in
reality you're running Apache, there is a big chance
you'll see IIS attacks hit your webserver first, which
will hopefully set off your IDS.

I have modsecurity running on my apache instances, and
I often see all kinds of IIS exploits hitting my box.
This then gives me time to look thru my various apache
and firewall logs, and take some corrective measures
like for instance slapping some IPTables rules on the
box to block that IP.

If I wouldn't be masking my web server, I'd probably
get hit with Apache exploits right-away, which could
potentionally give me less time to respond since an
attacker could potentionally find either a way in
and/or do damage much quicker.

Granted, this is not ALWAYS the case ... but in my
experience it really does help.


--- Joshua Slive <joshua@slive.ca> wrote:

> On 1/24/07, Simon Ashford <Simon.Ashford@npl.co.uk>
> wrote:
> >
> > Hmmm...
> >
> > Doesn't seem to work.  Still get "Server: Apache"
> in the
> > HTTP headers regardless of SecServerSignature.
> >
> > Get the impression from various reading that the
> Server
> > header is added by Apache pretty much at the very
> end of
> > processing, after anything done by other modules.
> >
> > Probably something the developers ought to
> adddress. It would
> > be nice, for example, to be able to put
> "ServerTokens None"
> > or some such in the basic configuration file
> without needing
> > any other modules loaded...
> 
> Go search the dev list.  You'll see that this
> question has been
> addressed in depth, probably a dozen different
> times.  The answer is:
> You don't gain any security by omitting or lying in
> the Sever header,
> so it is your "security audit" that is faulty, not
> apache.
> 
> (Many of us would still like to see the
> "ServerTokens None" option,
> but only to get rid of silly discussions like these.
>  It doesn't
> actually do any good and can potentially do harm.)
> 
> Joshua.
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 
> 



 
____________________________________________________________________________________
Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message