|
WebApp Sec
mailing list archives
Re: About web server version
From: "Kurt Seifried" <bt () seifried org>
Date: Sat, 26 Apr 2003 14:56:10 -0700
Hi everybody,
i would like to know if it is possible to modify
information returned by web server (apache) about
version, type : apache
I have found the solution to hide the version by adding
this rule to the httpd.conf :
ServerTokens Prod
But I would like that this information also not
returned to a malicious user that try to collect
information about the web server
You will need to modify the source code. Unfortunately that won't really
fool anyone. Error messages, header formats/etc all provide plenty of
information. Check out Rain.Forest.Puppy's presentation on this and his
whisker tool available at wiretrip.net.
In any event it doesn't matter, most "generic" web attacks I have seen are
not targeted, they simply take a shotgun approach, or if it's a worm it just
blasts out at everyone. Much better to spend the time and effort keeping
Apache up to date.
Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
 By Date 
By Thread
Current thread:
|
Intro
