Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Sebastian Rother
The following Patch adds "ServerTokens" to the httpd.conf and changes
the default behavior to "ProductOnly".

This may help save some time and reduce the scans of
Web-Security-Scanners wich try to scan an Apache 1.3.29 even OpenBSD
has a modfied version.

Another (maybe usefull) patch can be found here:
http://www.comsys.com.ua/files/apache-patch
It allows to disable the Server-header completly (wich can be usefull
and disables TRACE too but this function was already merged to current).

*** httpd.conf.orig Mon Jan 23 03:54:30 2006
--- httpd.conf Mon Jan 23 03:58:30 2006
***************
*** 565,570 ****
--- 565,593 ----
  ServerSignature On
 
  #
+ # This directive controls whether Server response header field which
is
+ # sent back to clients includes a description of the generic OS-type
of
+ # the server as well as information about compiled-in modules.
+ #
+ #  ServerTokens Prod[uctOnly]
+ #  Server sends (e.g.): Server: Apache
+ #
+ #  ServerTokens Min[imal]
+ #  Server sends (e.g.): Server: Apache/1.3.0
+ #
+ #  ServerTokens OS                                  
+ #  Server sends (e.g.): Server: Apache/1.3.0 (Unix)
+ #
+ #  ServerTokens Full (or not specified)
+ #  Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0
+ #                               MyMod/1.2
+ #
+ # This setting applies to the entire server, and cannot be enabled or
+ # disabled on a virtualhost-by-virtualhost basis.
+
+ ServerTokens ProductOnly
+
+ #
  # Aliases: Add here as many aliases as you need (with no limit). The
format is # Alias fakename realname
  #

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Frank Denis (Jedi/Sector One)-5
On Mon, Jan 23, 2006 at 04:10:27AM +0100, Sebastian Rother wrote:
>The following Patch adds "ServerTokens" to the httpd.conf and changes
>the default behavior to "ProductOnly".

  Wonderdul, let Netcraft show that OpenBSD is a dead OS that nobody uses
any more.

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Sebastian Rother
In reply to this post by Sebastian Rother
>On Mon, Jan 23, 2006 at 04:10:27AM +0100, Sebastian Rother wrote:
>>The following Patch adds "ServerTokens" to the httpd.conf and changes
>>the default behavior to "ProductOnly".
>
>Wonderdul, let Netcraft show that OpenBSD is a dead OS that nobody uses
>any more.
 
I don't get your critic.
By default the Apache-Banner looks like this:
Apache httpd 1.3.29 ((Unix) mod_ssl/2.8.16 OpenSSL/0.9.7g)

I don't read anything related to OpenBSD nor does the Apache writes
"OpenBSD" somewhere in the Banner.
But because of the Versionnumbers these Webservers maybe get more
attention then they should get.

That was my attitude for the little patch of the httpd.conf.


Kind regards,
Sebastian

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Lukasz Sztachanski
In reply to this post by Frank Denis (Jedi/Sector One)-5
On Mon, Jan 23, 2006 at 09:24:56AM +0059, Frank Denis (Jedi/Sector One) wrote:
> On Mon, Jan 23, 2006 at 04:10:27AM +0100, Sebastian Rother wrote:
> >The following Patch adds "ServerTokens" to the httpd.conf and changes
> >the default behavior to "ProductOnly".
>
>  Wonderdul, let Netcraft show that OpenBSD is a dead OS that nobody uses
> any more.
>
As far as i see, netcraft doesn't determine OS, checking httpd's version
string.



                                - Lukasz Sztachanski


--
0x058B7133 // 16AB 4EBC 29DA D92D 8DBE  BC01 FC91 9EF7 058B 7133
http://szati.blogspot.com
http://szati.entropy.pl

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

beck-7
In reply to this post by Sebastian Rother
> I don't read anything related to OpenBSD nor does the Apache writes
> "OpenBSD" somewhere in the Banner.
> But because of the Versionnumbers these Webservers maybe get more
> attention then they should get.
>

        And why should it?  I'm pretty sure netcraft does passive os
detection, it generally doesn't rely on the banner.

        Netcraft's process has been flawed for a long time when they
list us as NetBSD/OpenBSD. I see no reason to change stuff on our
behalf to make Netcrafts flawed statistics any less flawed, and put
more information in a banner.
       
        (unless you're talking about changing the banner to
"netcraft-sucks-wet-hairy-moose-rocks" or something like that. :)
 
        -Bob
       
--
| | |      The ASCII Fork Campaign
 \|/   against gratuitous use of threads.
  |

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

John D. Verne
In reply to this post by Frank Denis (Jedi/Sector One)-5
On 23-Jan-06, at 3:25 AM, Frank Denis (Jedi/Sector One) wrote:

> On Mon, Jan 23, 2006 at 04:10:27AM +0100, Sebastian Rother wrote:
>> The following Patch adds "ServerTokens" to the httpd.conf and changes
>> the default behavior to "ProductOnly".
>
>  Wonderdul, let Netcraft show that OpenBSD is a dead OS that nobody  
> uses
> any more.

<http://uptime.netcraft.com/up/accuracy.html#os>

Netcraft has it's own way of determining OS information.  The server  
string is not very useful in this regard.  Furthermore, Netcraft does  
not distinguish between OpenBSD and NetBSD.

Your worries are unfounded.

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

patric conant
In reply to this post by beck-7
are we really courting the kinds of users who will rely on netcraft to
decide what OS to run? People with a clue can easily find out why they want
OpenBSD, and an unwillingness to do anymore due diligence then stats on
netcraft is probably not going to get them through the install process.
Perhaps I am sufferring from tunnel vision on this, but netcraft bragging
rights don't really seem to be in line with any project goals. If that is is
indeed true, I don't see putting 3 seconds worth developer time/attention
into stopping the /. crowd from claiming *BSD is dead. Just my $.02.

On 1/23/06, Bob Beck <[hidden email]> wrote:

>
> > I don't read anything related to OpenBSD nor does the Apache writes
> > "OpenBSD" somewhere in the Banner.
> > But because of the Versionnumbers these Webservers maybe get more
> > attention then they should get.
> >
>
>         And why should it?  I'm pretty sure netcraft does passive os
> detection, it generally doesn't rely on the banner.
>
>         Netcraft's process has been flawed for a long time when they
> list us as NetBSD/OpenBSD. I see no reason to change stuff on our
> behalf to make Netcrafts flawed statistics any less flawed, and put
> more information in a banner.
>
>         (unless you're talking about changing the banner to
> "netcraft-sucks-wet-hairy-moose-rocks" or something like that. :)
>
>         -Bob
>
> --
> | | |         The ASCII Fork Campaign
> \|/       against gratuitous use of threads.
>   |

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Marco Peereboom
In reply to this post by Sebastian Rother
How about "we'll just ignore what you want because it's you".

On Mon, Jan 23, 2006 at 05:36:14PM +0100, Sebastian Rother wrote:

> >On Mon, Jan 23, 2006 at 04:10:27AM +0100, Sebastian Rother wrote:
> >>The following Patch adds "ServerTokens" to the httpd.conf and changes
> >>the default behavior to "ProductOnly".
> >
> >Wonderdul, let Netcraft show that OpenBSD is a dead OS that nobody uses
> >any more.
>  
> I don't get your critic.
> By default the Apache-Banner looks like this:
> Apache httpd 1.3.29 ((Unix) mod_ssl/2.8.16 OpenSSL/0.9.7g)
>
> I don't read anything related to OpenBSD nor does the Apache writes
> "OpenBSD" somewhere in the Banner.
> But because of the Versionnumbers these Webservers maybe get more
> attention then they should get.
>
> That was my attitude for the little patch of the httpd.conf.
>
>
> Kind regards,
> Sebastian

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Thorsten Glaser-3
Marco Peereboom dixit:

>How about "we'll just ignore what you want because it's you".

It would neither be the first time, nor the first person,
where you're doing it.

tg@odem:/home/tg $ print HEAD / HTTP/1.0\\n | nc ::1 80
HTTP/1.1 200 OK
Date: Mon, 23 Jan 2006 18:17:05 GMT
Server: httpd/3.30A (Unix)
[...]

//mirabile
--
I believe no one can invent an algorithm. One just happens to hit upon it
when God enlightens him. Or only God invents algorithms, we merely copy them.
If you don't believe in God, just consider God as Nature if you won't deny
existence. -- Coywolf Qi Hunt

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Sebastian Rother
On Mon, 23 Jan 2006 13:20:24 -0600
Marco Peereboom <[hidden email]> wrote:

> Maybe you could use it as a learning experience on how not to interact with
> others.
>
> On Mon, Jan 23, 2006 at 06:17:15PM +0000, Thorsten Glaser wrote:
> > Marco Peereboom dixit:
> >
> > >How about "we'll just ignore what you want because it's you".
> >
> > It would neither be the first time, nor the first person,
> > where you're doing it.
> >
> > tg@odem:/home/tg $ print HEAD / HTTP/1.0\\n | nc ::1 80
> > HTTP/1.1 200 OK
> > Date: Mon, 23 Jan 2006 18:17:05 GMT
> > Server: httpd/3.30A (Unix)

I didn't thought about netcraft but about vuln-scanns wich are made
because of the version number of apache.
This was just a idea how to reduce such stuff wich belongs to the
versionnumber in the banner.
Nothing more...

And you don't have to adapt "ProductOnly" but adapting the section
would be usefull (like ServerSignature..) in my oppinion.

Kind regards,
Sebastian

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Brad Smith-14
On Mon, Jan 23, 2006 at 08:41:35PM +0100, Sebastian Rother wrote:

> On Mon, 23 Jan 2006 13:20:24 -0600
> Marco Peereboom <[hidden email]> wrote:
>
> > Maybe you could use it as a learning experience on how not to interact with
> > others.
> >
> > On Mon, Jan 23, 2006 at 06:17:15PM +0000, Thorsten Glaser wrote:
> > > Marco Peereboom dixit:
> > >
> > > >How about "we'll just ignore what you want because it's you".
> > >
> > > It would neither be the first time, nor the first person,
> > > where you're doing it.
> > >
> > > tg@odem:/home/tg $ print HEAD / HTTP/1.0\\n | nc ::1 80
> > > HTTP/1.1 200 OK
> > > Date: Mon, 23 Jan 2006 18:17:05 GMT
> > > Server: httpd/3.30A (Unix)
>
> I didn't thought about netcraft but about vuln-scanns wich are made
> because of the version number of apache.
> This was just a idea how to reduce such stuff wich belongs to the
> versionnumber in the banner.
> Nothing more...
>
> And you don't have to adapt "ProductOnly" but adapting the section
> would be usefull (like ServerSignature..) in my oppinion.
>
> Kind regards,
> Sebastian
 
That is not a very good reason for proposing the patch.

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

beck-7
In reply to this post by patric conant
>  I don't see putting 3 seconds worth developer time/attention
> into stopping the /. crowd from claiming *BSD is dead. Just my $.02.

        I sure as hell hope not. I love the /. *BSD is dead trolls - not only
are they usually funny as hell, but they make sure people dumb enough
to believe them don't use OpenBSD and therefore act as a positive
force for the intelligence of the user community. IMO let the
dumbasses that believe that shit go waste the time of Windows and
Linux developers.

        The world needs more chlorine in the gene pool - too many raisinettes
floating around in it.

        -Bob

--
| | |      The ASCII Fork Campaign
 \|/   against gratuitous use of threads.
  |

Reply | Threaded
Open this post in threaded view
|

Re: Diff to add ServerTokens to the httpd.conf and change the default to ProductOnly

Jimmy Scott
In reply to this post by Sebastian Rother
On Mon, Jan 23, 2006 at 08:41:35PM +0100, Sebastian Rother wrote:
> I didn't thought about netcraft but about vuln-scanns wich are made
> because of the version number of apache.

If I wrote the scanner, I would queue you as 'unknown' and scan you for
every vulnerability out there. But I admit, I hate people claiming my
installation is insecure based on an incorrect version number.

Kind regards,
Jimmy Scott

--
People usually get what's coming to them ... unless it's been mailed.

[demime 1.01d removed an attachment of type application/pgp-signature]