Anyone know if it is possible to remove or completely
overwrite the Server HTTP header from Apache?
ServerTokens only allows it to be reduced somewhat.
mod_header doesn't seem to affect it.
We recently had a security audit done and one of the
points noted was that it was possible to identify
Hello,
Simon Ashford wrote:
We recently had a security audit done and one of the
points noted was that it was possible to identify the
web server software in use from the Server header.
So I would like to remove or completely overwrite
this header with something meaningless.
mod_security and
January 2007 14:53
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Removing or overwriting Server header
field.
Hello,
Simon Ashford wrote:
We recently had a security audit done and one of the
points noted was that it was possible to identify the
web server software in use from
On 1/24/07, Simon Ashford [EMAIL PROTECTED] wrote:
Hmmm...
Doesn't seem to work. Still get Server: Apache in the
HTTP headers regardless of SecServerSignature.
Get the impression from various reading that the Server
header is added by Apache pretty much at the very end of
processing, after
Joshua, that is not entirely true.
By making believe you're running a different webserver
than you really are ... you can potentionally buy
yourself some valuable time.
If an attacker wants to attack/criple your site,
he/she will most likely first try all known
vulnerabilities for that
On 1/24/07, Richard de Vries [EMAIL PROTECTED] wrote:
I have modsecurity running on my apache instances, and
I often see all kinds of IIS exploits hitting my box.
This then gives me time to look thru my various apache
and firewall logs, and take some corrective measures
like for instance
It may be a tiny roadblock as you put it, but it
doesn't cost anything, nor does it hurt anything. So
why wouldn't you do it?
By its self it may not make a whole lot of difference,
but combine a lot of these tiny roadblocks together
and you'll have yourself a defense in depth strategy.
PROTECTED] Behalf Of Joshua
Slive
Sent: 24 January 2007 21:50
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Removing or overwriting Server header
field.
On 1/24/07, Richard de Vries [EMAIL PROTECTED] wrote:
I have modsecurity running on my apache instances, and
I often see all kinds
On 1/24/07, Richard de Vries [EMAIL PROTECTED] wrote:
It may be a tiny roadblock as you put it, but it
doesn't cost anything, nor does it hurt anything.
Another error there. Ask yourself: why is this header suggested in
the HTTP spec anyway? It wasn't put there to give Netcraft something
to
The argument you are using is a general one, saying security doesn't
come from obscurity. While this is meaningful in a broad sense, in real
life scenarios obscurity often improves already existing security. The
problem is that all but a few mistake one for the other and that this
Maybe I'm going about this the wrong way but wouldn't any competent
systems administrator know about a known vulnerability and patch it
when it is discovered. Then again maybe I am thinking in too simple
terms.
-
The official
11 matches
Mail list logo