Wednesday, June 9, 2010

Apache ServerSignature tutorial


Sometimes webserver security comes down to not providing information to an attacker. In terms of Apache2 masking the signature can be a very critical piece. Below I will explain how to mask the signature and how to verify its masked with nmap.

Stock Apache2 install:
$>sudo nmap -PO -A -O -vvv 192.168.2.75
... Text ...
80/tcp open http Apache httpd 2.2.11 ((Ubuntu) DAV/2 SVN/1.5.4 PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g)
.... More Text ....
443/tcp open ssl/http Apache httpd 2.2.11 ((Ubuntu) DAV/2 SVN/1.5.4 PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g)
.... More Text ....

We don't want to give that information to 3rd parties or even worse hackers. So we will do the following below:

$>sudo nano /etc/apache2/apache2.conf
ServerSignature Off
ServerTokens Prod
$>sudo /etc/init.d/apache2 reload

Muted Apache2 server now:

$>sudo nmap -PO -A -O -vvv 192.168.2.75
...NMAP Text ...
80/tcp open http Apache httpd
.... More Text ....
443/tcp open ssl/http Apache httpd
.... More Text ....

For alternative modifications I would suggest looking at:
http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
http://httpd.apache.org/docs/2.2/mod/core.html#serversignature

:) Hope this provided some insite

No comments: