[22471] in bugtraq
RE: easy remote detection of a running tripwire for webpages syst
daemon@ATHENA.MIT.EDU (Jonathan Sartin)
Thu Aug 30 19:51:16 2001
Message-ID: <D127B0EC0B57D41182880008C71EB3A24F61E8@lonmail.rubus.com>
From: Jonathan Sartin <jonathan.sartin@rubus.com>
To: bugtraq@securityfocus.com
Date: Wed, 29 Aug 2001 09:27:11 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
You need to set the ServerTokens directive in httpd.conf to reveal only
those things that you feel appropriate about the server.
Options are:
min - will return the product and version (i.e. Apache/1.3.0)
os - will return product version and operating system.
full - will return everything, including the installed modules (as you
noted, and probably a bad thing).
product_only - will return just the product (i.e. Apache)
default seems to be full.
Examples:
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
Note that this works on the server config level and therefore cannot be set
for individual virtualhosts.
Cheers .... J
