LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page ServerTokens Directive Apache with SLOX4.1
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-31-2005, 02:01 AM   #1
sln
LQ Newbie
 
Registered: Jul 2003
Posts: 11

Rep: Reputation: 0
ServerTokens Directive Apache with SLOX4.1

Hello:

I am trying to reduce the amount of information given out when someone tries
to Banner Grab for Version information. I read that "ServerToken" directive
in httpd.conf file will limit the amount of information given out. First off
I didn't find the "ServerToken" in the httpd.conf with a search. So I
added it in the Global Setting section (where I found it on RedHat box).
Set it to "ServerToken Prod" or "OS" or "Min" no quotation marks of course. I found
"ServerSignature On" changed it to "Off", restarted httpd, and then ran "HEAD /
HTTP/1.0" and it still comes back with


HEAD / HTTP/1.0
200 OK
Content-Length: 720
Content-Type: text/html
Last-Modified: Wed, 11 May 2005 20:16:21 GMT
Client-Date: Tue, 31 May 2005 04:49:32 GMT

404 Not Found
Date: Tue, 31 May 2005 04:31:44 GMT
Server: Apache/2.0.49 (Unix) PHP/4.3.9 # How do I get rid of this an say something else
Content-Length: 1335
Content-Type: text/html; charset=ISO-8859-1
Client-Date: Tue, 31 May 2005 04:49:33 GMT
Client-Response-Num: 1
Proxy-Connection: close
X-Cache: MISS from firewall.domainname
X-Powered-By: PHP/4.3.9 # How do I get rid of this and say something else


I guess my question should be what controls the amount of information given out ServerTokens, ServerSignature, or something else? And to configure these items do I make my changes in the httpd.conf, or httpd.conf.SuSEconfig, or in /etc/sysconfig/apache? Which file and variable controls what gets displayed. I have made changes to SeverTokens and ServerSignature in httpd.conf and httpd.conf.SuSEconfig, and HTTPD_SEC_SAY_FULLNAME directive to "no" in /etc/sysconfig/apache at different times and then restarted the httpd with rchttpd restart, and then did the "HEAD / HTTP/1.0" from the command line and I always get the above with no changes.

What AM I DOING WRONG?

Any help here would be appreciated.

Thanks:
Steve
 
Old 05-31-2005, 12:52 PM   #2
bulliver
Senior Member
Contributing Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
I don't know what to tell you. On my system I have only:
Code:
ServerTokens Prod
ServerSignature Off
In httpd.conf, and all I get is:
Server: Apache

I would suggest finding out which conf file is the actual one being used, and double check that you don't have the directives written in there twice, cancelling each other out...

As far as what each directive does, ServerTokens decides how much info is in the header, and ServerSignature decides how much info is in server-generated pages such as 404 pages etc...

To turn off php reporting in the header edit php.ini and look for:
Code:
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = Off
Last edited by bulliver; 05-31-2005 at 12:58 PM.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache User directive merchtemeagle Linux - Software 2 03-07-2005 03:42 PM
Apache 'Listen' directive doesn't work robbiemorgan Linux - Software 0 11-22-2004 11:49 AM
Apache DirectorySlash directive doesn't seem to be working SeniorSE Linux - Newbie 2 11-16-2004 10:52 PM
Apache Directive sopiaz57 Linux - Security 2 12-09-2003 01:32 PM
Alias directive in Apache 1.3.22 mswebs Linux - Networking 2 08-01-2003 02:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:39 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration