OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] making Apache hide info.
From: Kilian Huber (kilbunny.ch)
Date: Fri Oct 06 2000 - 12:07:43 CDT

Yuri Robbers [yurirulbii.leidenuniv.nl] wrote:

> I always try to hide as many details about the services I'm running as
> possible. I don't want, for example, my ftpd to tell everyone that it's
> ProFTP 1.2.0 on an i386 running SuSE 7.0 or whatever. Legitimate users
> don't need this info, and I don't want hackers to be able to get it
> by just establishing a regular connection.
>
> Of course this is easy to do for most service, but I haven't managed this
> with Apache. Just surfing to a non-existing page, for example, gives out
> an error message like this:
>
> > Apache/1.3.12 Server at rulbii.leidenuniv.nl Port 80
>
> How do I stop Apache from telling that it is Apache 1.3.12? I have worked
> my way through httpd.conf, I've read the manual, but still I have no
> clue... Can anyone help me?

The ServerTokens and ServerSignature directives may be your friend, see

  http://www.apache.org/docs/mod/core.html#servertokens
  http://www.apache.org/docs/mod/core.html#serversignature

If this does not satisfy, use the source :)

        -- Kilian

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com