Re: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
From: Securism (f.dewit@securism.com)Date: 01/26/02
- Previous message: Chris Hall: "Re: alternative way of addressing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Securism" <f.dewit@securism.com> To: "Don Balunos" <don.balunos@analog.com>, <security-basics@securityfocus.com> Date: Sat, 26 Jan 2002 18:27:58 +0100
change vendor, versions etc in the source file httpd.h, lines:
#define SERVER_BASEVENDOR "Apache Group"
#define SERVER_BASEPRODUCT "Apache"
#define SERVER_BASEREVISION "1.3.22"
etc.. in something bogus and compile the source again.
or take in the line 'ServerTokens Prod' in the Apache httpd.conf and restart
the apache service.
See: http://httpd.apache.org/docs-2.0/mod/core.html#servertokens
but then Apache wil still say it's Apache...and you probably want your
server to say 'f&^ck off', right?
same for mod_ssl (libssl.version)
openssl (opensslv.h)
php (php_version.h / configure.in) etc etc
greetz, n30
----- Original Message -----
From: "Don Balunos" <don.balunos@analog.com>
To: <security-basics@securityfocus.com>
Sent: Friday, January 25, 2002 7:43 PM
Subject: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6
DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
>
>
> Hi All,
>
> Can anyone help me how to configure Apache web
> server to return bogus versions, so that it makes the
> cracker job more difficult.
>
> Please see the result from nessus scan:
>
> The remote web server type is :
>
>
> Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5
> OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1
> mod_perl/1.24_01
>
>
>
> Thanks in advance.
>
> Regards, Don
>
- Previous message: Chris Hall: "Re: alternative way of addressing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
