Re: [users@httpd] HTTP reply. Too much systems information displayed.

Mon, 03 Sep 2007 22:56:10 -0700 

Hey Darragh,

Checkout http://httpd.apache.org/docs/1.3/mod/core.html#serversignature
for your 1.3 servers, and
http://httpd.apache.org/docs/2.0/mod/core.html#serversignature for your
2.0 server.

Also, then check out the ServerTokens directive too.

Hope this helps,

Scott.

Darragh Gammell wrote:
> Hi
>
> Recently we had a a security audit, one of the issues stated was that
> our servers report too much information which hackers can use.
>
> see output from a netcraft site report.
>
>       
>       
>       
>
> OWNER       IP                 OS    WebServer
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/2.0.54
> Ubuntu PHP/5.0.5-2ubuntu1 mod_ssl/2.0.54 OpenSSL/0.9.7g
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/1.3.34
> Debian PHP/5.1.2 mod_gzip/1.3.26.1a mod_ssl/2.8.25 OpenSSL/0.9.8a
> mod_perl/1.29 DAV/1.0.3
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/1.3.33
> Debian GNU/Linux PHP/5.0.4 mod_gzip/1.3.26.1a mod_ssl/2.8.22
> OpenSSL/0.9.7d mod_perl/1.29 DAV/1.0.3
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/1.3.31
> Debian GNU/Linux mod_gzip/1.3.26.1a mod_ssl/2.8.19 OpenSSL/0.9.7d
> mod_perl/1.29 DAV/1.0.3
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/1.3.29
> Debian GNU/Linux mod_gzip/1.3.26.1a mod_ssl/2.8.16 OpenSSL/0.9.7c
> mod_perl/1.29 DAV/1.0.3
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/1.3.29
> Debian GNU/Linux mod_gzip/1.3.26.1a mod_ssl/2.8.16 OpenSSL/0.9.7c
> DAV/1.0.3
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/1.3.27
> Debian GNU/Linux mod_gzip/1.3.26.1a mod_ssl/2.8.14 OpenSSL/0.9.7b
> DAV/1.0.3
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/1.3.27
> Unix Debian GNU/Linux mod_gzip/1.3.26.1a mod_ssl/2.8.14 OpenSSL/0.9.7b
> DAV/1.0.3
> OWNER 123.123.123.123 <http://123.123.123.123> Linux Apache/1.3.27
> Unix Debian GNU/Linux mod_gzip/1.3.26.1a mod_ssl/2.8.14 OpenSSL/0.9.7a
> DAV/1.0.3
>
>
> Does anyone know how to configure apache not to give this information
> out in its http replies.
>
> Thanks in advance
>
> Darragh
>

Reply via email to