On Fri Apr 19, 2002 at 06:15:03PM -0500, J. Craig Woods wrote: > To the poster asking about turning Apache's so called "advertising" off, > I find this to be an interesting question. It is not really advertising > in the strict sense of the word. It is what transpires during the http > protocol exchange. In this exchange, among other elements, machine and > web server software info is exchanged. Here is a typical example of such > an exchange: > > GET / HTTP/1.1 > Host: www.trismegistus.net > > HTTP/1.1 200 OK > Date: Fri, 19 Apr 2002 22:50:55 GMT > Server: Apache-AdvancedExtranetServer/1.3.22 (Linux-Mandrake/1.3mdk) > mod_ssl/2.8.5 OpenSSL/0.9.5a PHP/4.0.6 > Last-Modified: Wed, 13 Mar 2002 17:58:38 GMT > ETag: "15cf4-d45-3c8f934e" > Accept-Ranges: bytes > Content-Length: 3397 > Connection: close > Content-Type: text/html > > So you see that this is really a form of identification, not > "advertising". It is necessary for the exchange of this info so that one > machine can "talk" to another, using http, and ask for the web page that > the web server is running for the public. > > After all this having been said, I am not sure you can or would want to > turn this communication off. Maybe the resident Apache guru, Vincent, > can share some wisdom with us on this issue.
AFAIK, if you want to remove the Apache version and other info, you will have to modify the source code and recompile (I could be wrong). > BTW why do you want to turn this feature off? This is, of course, the big question. Security through obscurity is no security at all. I am, personally, not a big fan of this sort of "security"... any good scanner (ie. nessus) will be able to determine enough information, and unless you want to modify the source to your web server, MTA, ssh, etc. there isn't really much point. Then again, being able to fingerprint operating systems based on TCP packets themselves, at the very least a determined attacker will be able to find out what OS you're running and then make some educated guesses as to the software (do you run apache, roxen, or ximian? easy ways to tell... same with the MTA.. start looking for "quirks" in the MTAs and you'll be able to figure out what software, even if you won't know the exact version). In other words, removing a single string is not much security at all, and not worth the hassle. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.18-6mdk uptime: 4 days 11 hours 6 minutes.
msg52853/pgp00000.pgp
Description: PGP signature