Re: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01

From: Securism (f.dewit@securism.com)
Date: 01/26/02


From: "Securism" <f.dewit@securism.com>
To: "Don Balunos" <don.balunos@analog.com>, <security-basics@securityfocus.com>
Date: Sat, 26 Jan 2002 18:27:58 +0100

change vendor, versions etc in the source file httpd.h, lines:
#define SERVER_BASEVENDOR "Apache Group"
#define SERVER_BASEPRODUCT "Apache"
#define SERVER_BASEREVISION "1.3.22"
etc.. in something bogus and compile the source again.

or take in the line 'ServerTokens Prod' in the Apache httpd.conf and restart
the apache service.
See: http://httpd.apache.org/docs-2.0/mod/core.html#servertokens

but then Apache wil still say it's Apache...and you probably want your
server to say 'f&^ck off', right?

same for mod_ssl (libssl.version)

openssl (opensslv.h)

php (php_version.h / configure.in) etc etc

greetz, n30

http://neo.hexyn.be/

----- Original Message -----
From: "Don Balunos" <don.balunos@analog.com>
To: <security-basics@securityfocus.com>
Sent: Friday, January 25, 2002 7:43 PM
Subject: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6
DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01

>
>
> Hi All,
>
> Can anyone help me how to configure Apache web
> server to return bogus versions, so that it makes the
> cracker job more difficult.
>
> Please see the result from nessus scan:
>
> The remote web server type is :
>
>
> Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5
> OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1
> mod_perl/1.24_01
>
>
>
> Thanks in advance.
>
> Regards, Don
>



Relevant Pages

  • Re: apache question
    ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ...
    (alt.php)
  • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
    ... The suEXEC feature provides Apache users the ability to run CGI and SSI ... under user IDs different from the user ID of the calling web server. ... Normally php and cgi scripts are not allowed to read files with the ... because the php script is run trough suEXEC. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
    ... The suEXEC feature provides Apache users the ability to run CGI and SSI ... under user IDs different from the user ID of the calling web server. ... Normally php and cgi scripts are not allowed to read files with the ... because the php script is run trough suEXEC. ...
    (Bugtraq)
  • Re: Apache vs IIS
    ... Windows Server not on my Linux Server so there for I would chose IIS. ... Not that Apache is bad but ASP.NET is far easier and faster to create good web forms in. ... PHP on a IIS server is rather easy to run once you install PHP on a PC but if you only use PHP why not use Apache for Windows. ...
    (alt.php)
  • Re: HTTP servers on z/OS
    ... developed by the Apache Software Foundation. ... Also know as IHS ... "...the current IBM HTTP Server for z/OS and IHS for z/OS Powered by Apache, ...
    (bit.listserv.ibm-main)