ragged-rigid
ragged-rigid
ragged-rigid
ragged-rigid
Improving Apache Webserver Security with ServerTokens directive @ www.digitalpains.net
home

Improving Apache Webserver Security with ServerTokens directive

Posted in 30/11/2009 ¬ 11:44 amh.ali.sogukpinarNo Comments »

By default Apache server is configured in a way that it sends detailed information about it’s configuration (apache version number, compiled modules, etc).

For production environments this information would be unnecessary. It is better not to publish it at all. Using the ServerTokens directive you can control the amount of information being sent to the client.

Below you can see the out from a apache server with standard settings.

alis@advance17:~$ telnet 192.168.5.56 80
Trying 192.168.5.56...
Connected to 192.168.5.56.
Escape character is '^]'.
sfs
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>sfs to /index.html not supported.<br />
</p>
<hr>
<address>Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 Server at feasiblecrm.vedius.com.tr Port 80</address>
</body></html>
Connection closed by foreign host.

As you can see it prints out the version information for apache, php and python. We wouldn’t want share this information with a potential intruder.

Let’s see how we can fix it. Normally this information is part of http.conf file but on Debian based systems httpd.conf file is spited to several files. On my Ubuntu system this information is stored in the /etc/apache2/conf.d/security file.

If you search for ServerTokens in this file you will that by default it has option value of Full. We will change it to Prod which stands for Production.
After this modification you need to restart the apache webserver. As you can from the output below now on we will only report that our server is an Apache server.

alis@advance17:~$ telnet 192.168.5.56 80
Trying 192.168.5.56...
Connected to 192.168.5.56.
Escape character is '^]'.
aaa
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>aaa to /index.html not supported.<br />
</p>
<hr>
<address>Apache Server at feasiblecrm.vedius.com.tr Port 80</address>
</body></html>
Connection closed by foreign host.
alis@advance17:~$

No related posts.

feed
Security, twitter,

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">

 
guidelines
 
privacy