change vendor, versions etc in the source file httpd.h, lines: #define SERVER_BASEVENDOR "Apache Group" #define SERVER_BASEPRODUCT "Apache" #define SERVER_BASEREVISION "1.3.22" etc.. in something bogus and compile the source again.
or take in the line 'ServerTokens Prod' in the Apache httpd.conf and restart the apache service. See: http://httpd.apache.org/docs-2.0/mod/core.html#servertokens but then Apache wil still say it's Apache...and you probably want your server to say 'f&^ck off', right? same for mod_ssl (libssl.version) openssl (opensslv.h) php (php_version.h / configure.in) etc etc greetz, n30 http://neo.hexyn.be/ ----- Original Message ----- From: "Don Balunos" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 25, 2002 7:43 PM Subject: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 > > > Hi All, > > Can anyone help me how to configure Apache web > server to return bogus versions, so that it makes the > cracker job more difficult. > > Please see the result from nessus scan: > > The remote web server type is : > > > Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 > OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 > mod_perl/1.24_01 > > > > Thanks in advance. > > Regards, Don >