Posts Tagged ‘security’

Securing Apaches Header Information

When you install apache with default settings (./configure && make && make install) this is the header that your users are able to get:

[root@hostname] /usr/local/apache2 $ telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 24 Aug 2010 18:17:56 GMT
Server: Apache/2.2.16 (Unix)
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: “7001c-2c-3e9564c23b600”
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html

Now what you could do is go and change your ServerTokens to Prod which is short for ProductOnly and would show only Apache. Like this:

[root@hostname] /usr/local/apache2 $ telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 24 Aug 2010 18:23:39 GMT
Server: Apache
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: “7001c-2c-3e9564c23b600”
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html

Much better but you are still telling the world that you are using Apache. First thought would be that you can use mod_headers to just remove the Server: part of your headers but unfortunately this is not possible. Apache tags the Server: and Date: information to the header just before this is sent to the client. There is a bug for this issue but it has not been fixed and it has been around for 5 years.

My fix for this is to create a patch that sets the name “Apache” to whatever you would like. Here is a server that has been patched:

[root@hostname] /usr/local/apache2 $ telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 24 Aug 2010 18:23:39 GMT
Server: Freddys Secure HTTP Server
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: “7001c-2c-3e9564c23b600”
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/htm

The file you want is Apache_source/include/ap_release.h then look for line 44:

#define AP_SERVER_BASEPRODUCT “Freddys Secure HTTP Server”

If you don’t like messing with the source code here is a patch that you can apply before running the configure… :

diff -rupN httpd-2.2.16/include/ap_release.h httpd-2.2.16_patched/include/ap_release.h
— httpd-2.2.16/include/ap_release.h 2010-07-21 12:26:44.000000000 -0600
+++ httpd-2.2.16_patched/include/ap_release.h 2010-08-24 12:40:09.000000000 -0600
@@ -41,7 +41,7 @@
*/
#define AP_SERVER_BASEVENDOR “Apache Software Foundation”
#define AP_SERVER_BASEPROJECT “Apache HTTP Server”
-#define AP_SERVER_BASEPRODUCT “Apache”
+#define AP_SERVER_BASEPRODUCT “Freddys Secure HTTP Server”

#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 2

Now put this patch in a file called apache_name.patch and run this command:

[root@hostname] ~/httpd-2.2.16 $  $ patch -p1 < ../apache_name.patch
patching file include/ap_release.h

Now like normal run ./configure && make && make install, set your ServerTokens to Prod and the Server: header should say whatever you change the AP_SERVER_BASEPRODUCT too.

Advertisements