Bug#843014: Apache2: ServerTokens Minimal
Hi there, just would like to add my opinion. First of all, thank you Stefan for tagging this as "wontfix". To be honest, for myself these tokens are essential for debugging customer appliances without having access to their services. We're able to identify their server software easily through these headers and are able to provide proper support services to them. Further they're enabling us to gather simple statistical information throughout our monitoring. Further, normal users are able to gather simple information by a simple nmap scan of their server which services are running on it if they're unexperienced in usage. Some tutorials rely on these headers and if we wouldn't have them anymore, we couldn't use them also properly anymore. Just google abit and you'll find one quite fast. All in all, they're quite nice to have. If anyone feels annoyed of them, they're able to turn it of. I don't think we should remove it by default. As Stefan already mentioned they could be a security issue - but as a black hat you could gather the server information anyway quite fast if youre experienced enough. Best wishes, Anna Sdvoijspa
Bug#843014: Apache2: ServerTokens Minimal
tags 843014 wontfix thanks On Thursday, 3 November 2016 07:42:39 CET Heinrich Schuchardt wrote: > This results in a header like: > Server: Apache/2.4.10 (Debian) > > Sending the Apache and OS version is a waste of bandwidth. > Unfortunately Apache does not allow to completely suppress this > superfluous header. > > Furthermore the current setting exposes valuable information to a > possible intruder: > Why should any HTTP client care which OS my server is using? There are services that create statistics of the whole internet based on the Server header. Including Debian there gives an idea how much servers run Debian compared to other OSs, and which release of Debian. Therefore I prefer not to change the default. I don't think the bandwith waste is relevant in most setups. On systems where it is, the admin can change the setting, of course. While it is true that knowing the OS may give a potential advantage to an attacker, it is usually also possible to infer this information from other properties of the default configuration. If your security depends on the OS being secret, you have bigger problems. Cheers, Stefan
Bug#843014: Apache2: ServerTokens Minimal
Package: apache2 Version: 2.4.23-5 Severity: wishlist Dear maintainer, /etc/apache2/conf-available/security.conf currently defaults to ServerTokens OS This results in a header like: Server: Apache/2.4.10 (Debian) Sending the Apache and OS version is a waste of bandwidth. Unfortunately Apache does not allow to completely suppress this superfluous header. Furthermore the current setting exposes valuable information to a possible intruder: Why should any HTTP client care which OS my server is using? Please, change the default to ServerTokens Minimal Best regards Heinrich Schuchardt
