Apache DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


A Day in the Life of #Apache
Modifying the Server header in Apache 2.0 and 1.3

by Rich Bowen, coauthor of Apache Cookbook
09/23/2004

Editor's note: Rich Bowen tackles an Apache security issue in this latest column based on his conversations on the IRC channel #apache. This month he covers how to get Apache to send a different Server response so that no one can identify what version of Apache you're running, or any of the modules you have installed. The less information your server reveals, the safer it will be from crackers who want to try and break in. Rich is a coauthor of O'Reilly's Apache Cookbook.

#apache is an IRC channel that runs on the irc.freenode.net IRC network. To join this channel, you need to install an IRC client (XChat, MIRC, and bitchx are popular clients) and enter the following commands:

/server
irc.freenode.net
/join #apache

Day Nine

A word of warning before we start: the question that we're dealing with today has a number of answers, and all of them have their drawbacks. It's one of those questions where it's far more important to understand the question than it is to know the answer. Um. If that made any sense at all.

So, here we go.

Today, we'll tackle the subject of introducing yourself. When you meet a new person, you say, "Hello, my name is Eddie Van Zant." (Or, at least, you do if that's your name. Which it almost certainly isn't. But let's try not to get sidetracked.)

Apache, on the other hand, says something like:

Apache/1.3.31 (Unix) PHP/4.3.6 mod_perl/1.29 mod_ssl/2.8.18 
OpenSSL/0.9.7d

Which leads quite frequently to the following question:

Related Reading

Apache Cookbook
By Ken Coar, Rich Bowen

<Nolodie> Any suggestions on how to get Apache to send a different Server: response so that everybody doesn't know what modules I'm running?

At this point, there are several different answers that can be given. The most comprehensive is something like this:

<DrBacchus> fajita: Make apache lie?
<fajita> http://httpd.apache.org/docs/misc/FAQ.html#serverheader or See also ServerTokens and ServerSignature

This response is a reference to the FAQ--a list of the questions that have been asked frequently enough that it's worthwhile to write the answers down in one place so that nobody has to ever answer them again. The answer found there is what most people seem to be looking for. But not all. So it might be worthwhile backing up a bit and figuring out why people ask the question at all.

The general idea is that if Nasty People know exactly what version of Apache you're running, and what additional modules you have installed, this will give them a much better idea of how they can crack into your server. While this is probably not true in most cases, it is true in a few circumstances. And, of course, it's those few circumstances that these Nasty People are looking for.

A good rule of thumb is that the less information you can give to the crackers, the better off you'll be. Granted, a lot of this information can be obtained through a variety of trickier techniques, but there's really no point in making it easy for them.

So what does the FAQ recommend that you do? Quite simply, it recommends that you set ServerTokens to Prod, which is short for ProductOnly. This will cause Apache to return just the string Apache. That's a bit like being introduced as "Chuck," rather than "Charles Phillip Arthur George Windsor Mountbatten, The Prince of Wales."

If you are running Apache 2.0, instead of 1.3, that's all you really need to do. However, if you're running 1.3, there's a small problem. Namely, when you get an auto-generated page from Apache, such as an error document, for example, it has a bit down at the bottom called the Server Signature. That looks something like:

Apache/1.3.29 Server at shiraz.rcbowen.com Port 80

It does this even if you have ServerTokens set to Prod. It doesn't report your whole module list, but it reports what version of Apache you're running. In this case, it reports that I'm running Apache 1.3.29, while I really should have upgraded to 1.3.31 quite some time ago.

This information can be removed from these pages by the following setting:

ServerSignature Off

On Apache 2, ServerSignature will never give more information than ServerTokens.

These recommendations take care of 90 percent of the people that ask this question. But there's a certain number who always want to push it just that little bit farther. It's still not good enough that it tells you that it's Apache. They want it to say that it is "Microsoft IIS/5.0" or "Bob's Happy Httpd," or perhaps nothing at all. They seem to be reasoning that if the attacker doesn't know that it's Apache at all, then they'll leave them alone.

There's a problem with this line of reasoning. Two of them, in fact.

The vast majority of attacks are completely scripted. The attacker run a script, and goes to get a Pop-Tart. When they come back, they have their list of compromised hosts. The automated attacks are run against the target servers, regardless of whether they are running Apache, IIS, or OmniWeb on OS/2. It just doesn't matter. That's why you end up with so many IIS-related attack entries in your error_log file.

Also, if someone really wants to know what web server you are running, they can find out with a technique known as fingerprinting. Because each web server handles HTTP requests slightly differently, due to differences in interpretations of the HTTP specifications, or other subtle things, it's possible to make a request, look at the response, and determine what web server the target is running. Thus, it makes very little difference whether a server reports that it is running Apache 2.0.49 or "Wally's Wonderful Webserver," if the attacker is really dedicated.

"I don't care," says the questioner, "every little bit helps. Tell me how to change the Server: response header."

Oh, okay, if you insist.

If you're using Apache 1.3, the answer is that you have to edit the source code and recompile Apache. In particular, you'll need to edit the file src/include/httpd.h. Look for these lines:

   #define SERVER_BASEPRODUCT  "Apache"
   #define SERVER_BASEREVISION "1.3.31"

Change those to whatever amuses you. Recompile.

For Apache 2.0, the situation is similar, but different. Edit the file include/ap_release.h and look for these lines:

#define AP_SERVER_BASEPRODUCT "Apache"
#define AP_SERVER_MAJORVERSION "2"
#define AP_SERVER_MINORVERSION "0"
#define AP_SERVER_PATCHLEVEL "50"

You will find a number of web sites that suggest that you can simply use the Header set notation to modify the Server header on Apache 2.0. This turns out to be false.

If you happen to be running mod_security (you really should be), you can modify the Server header using the SecServerSignature directive:

SecServerSignature "Wooga-Woo/8.4

While this may seem like a great deal of trouble to go to for a relatively small gain, it is true that every little bit helps. The less information you can give out, the better chance you have of avoiding unauthorized entry. Or, at least, you can slow them down and thus increase your chances of catching them.

If you want to discuss this further, please drop by #apache some time.


In November 2003, O'Reilly Media, Inc. released Apache Cookbook.



Sponsored by: