The vast majority of websites today are run by Apache and usually something like php for the server side scripting. If you have a prominent site, you can bet that your site is also being looked at by a bunch of people from script kiddies, to those who want to deface it because they do not agree with your company, product, political point of view etc…
Make life a little harder for them by telling Apache to be a little more secretive about what exactly is running on your server.
By default, Apache will respond in the following way to a request:
Date: Tue, 30 Jun 2009 19:14:35 GMT Server: Apache/2.2.11 (FreeBSD) mod_ssl/2.2.11 OpenSSL/0.9.8k DAV/2 X-Pingback: http://example.com/wordpress/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 30 Jun 2009 19:14:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 6184 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 200 OK
As you can see, there is a lot of info about Apache in there, that gives a potential bad person a nice place to start. They have version numbers now, and first port of call, would be to look through the vulnerability database for those products, and they may have a ready made exploit (because you are not that consistent with your patching – but that is another discussion)
Fixing this is easy, just add the following directives to your httpd.conf file.
ServerSignature off ServerTokens ProductOnly Header unset Server
Looking at the servers response headers now, and this is what we see:
Date: Tue, 30 Jun 2009 19:09:39 GMT Server: Apache X-Pingback: http://example.com/wordpress/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 30 Jun 2009 19:09:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 6185 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 200 OK
Considerably less information for someone to work with.
Now don’t think this will make your site un-hackable, no site is hack proof, it just makes the bad guy do a lot more work in trying to figure your environment out, and maybe, just maybe, he will pick someone else to direct his attentions too…
