> -----Original Message----- > From: Singh, Sukhjeet [mailto:sukhjeet.si...@fiserv.com] > Sent: Wednesday, June 10, 2009 2:56 PM > To: users@httpd.apache.org > Subject: RE: [us...@httpd] Re: Fixing HTTP Service / Server > Version Detected > > Eric, > > Can you let me know the best possible way to hide this banner.
There is no way, via configuration, to hide it. You can only reduce it to a minimum by setting the directive in the documentation link you were sent (you did follow this link, didn't you?) If you are really determined, you can remove it in the source code and recompile (search for "ServerTokens"). Alternatively some application firewall might be able to filter out this response header. However, as Dan has said, every attacker just blindly attacks every server with every exploit. They do not waste time "testing" to try to match exploit to server. If they did it would be great! - we could all just masquerade our servers as "Dreadnought Unbreakable Server" and hackers would all have to give up. The warning you have seen is just a stock message that security consultants wheel out to make it look like they are doing something. There was originally a good reason for the server signature - in the early days, different browsers and servers had slightly different capabilities and it was useful if each could identify the other in order to work-around known bugs and features. However, nowadays everything does everything and it probably doesn't matter any more. Having said all that, I hear that future versions of apache might have a directive allowing you to put "Bob's Handy Dandy Server" in there.. so maybe just wait a while. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > Sukhjeet > > -----Original Message----- > From: Dan Poirier [mailto:poir...@pobox.com] > Sent: Wednesday, June 10, 2009 6:05 PM > To: users@httpd.apache.org > Subject: [us...@httpd] Re: Fixing HTTP Service / Server > Version Detected > > Eric Covener <cove...@gmail.com> writes: > > > On Wed, Jun 10, 2009 at 7:53 AM, Singh, Sukhjeet > > <sukhjeet.si...@fiserv.com> wrote: > >> The server allows capture of the HTTP service banner. > Service banners > can > >> contain sensitive information, such as application and Operating > System (OS) > >> version numbers. An attacker can use the version information from > your Web > >> server to determine if there are any known vulnerabilities present, > or can > >> use such information to create attacks towards the specific > application or > >> OS. > > > > http://httpd.apache.org/docs/2.2/mod/core.html#servertokens > > Sukhjeet, you can hide this information, but I wouldn't think it would > make your server any more secure. Most attackers will > probably just try > a bunch of known vulnerabilities without even looking at the OS and > version. > > -- > Dan Poirier <poir...@pobox.com> > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
