Saturday, August 3, 2013

Why and How to hide Server Information


This tutorial shows how to hide the server information displayed (example show left) at the footer of any server-generated document. We also look why it is important to hide such information.

How to hide
 The Apache version number and other information can be hidden by controlling two config directives.

 The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to the footer of any server-generated documents, such as error messages, mod_proxy ftp directory listings, mod_info output, etc. The Off setting, which is the default, suppresses the footer line (and is therefore compatible with the behavior of Apache-1.2 and below). The On setting simply adds a line with the server version number and ServerName of the serving virtual host, and the Email setting additionally creates a "mailto:" reference to the ServerAdmin of the referenced document.

 Syntax:
ServerSignature On|Off|EMail

 The ServerTokens directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

 Syntax:
ServerTokens Full (or not specified)
Example Footer: Apache/2.2.17 (Win32) PHP/5.3.5 Server at localhost Port 80
ServerTokens Prod
Example Footer: Apache Server at localhost Port 80
ServerTokens Major
Example Footer: Apache/2 Server at localhost Port 80
ServerTokens Minor
Example Footer: Apache/2.2 Server at localhost Port 80
ServerTokens Min
Example Footer: Apache/2.2.17 Server at localhost Port 80
ServerTokens OS
Example Footer: Apache/2.2.17 (Win32) Server at localhost Port 80

To complete remove the footer, open your httpd.conf file and append/modify config directive as follows:
ServerSignature Off

If you want a part of the information to be displayed:
     ServerSignature On
  ServerTokens [Major|Minor|Min|Prod|OS|Full]


Why hide
The first step when a hacker tries to crack into site/server is Footprinting and Reconnaissance (ie gather as such information as possible). This is done to select the right kind of  hacks from a millions of hacks either available freely on the web or developed by the hacker. Trying out each and every hacks would take years, so the attacker spend a large amount of time on gathering as such as possible. Things become easy for the attacker if server information is displayed when he/she simply types a worng URL !!



In the above, the attacker can search for vulnerablities in Apache,OpenSSL, or FrontPage
So far this year (Aug-2013), 2 OpenSSL and 5 Apache vulnerabilites have been made public.
List of publicaly availabe vulnerablities
OpenSSL 0.9.8 : http://www.cvedetails.com/version/26306/Openssl-Openssl-0.9.8.html
Apache 2.2.17 : http://www.cvedetails.com/version/109443/Apache-Http-Server-2.2.17.html

So always use the lastest version and apply patches ;)

No comments:

Post a Comment