Setting Server Tokens for Security

hostpc.com

Verified User
Joined
Aug 2, 2003
Messages
1,053
Location
Schenectady, NY
I'm looking to change the server tokens on a machine, www0.hostpc.com

I've set, for apache:

ServerSignature Off
ServerTokens Prod

The first one, ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.

The second one ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

But places like whois.sc/hostpc.com are still able to pick up version information.

Server Type: Apache/1.3.34 (Unix) mod_fastcgi/2.4.2 mod_ssl/2.8.25 OpenSSL/0.9.7a DAV/1.0.3 PHP/4.4.1 mod_perl/1.29 FrontPage/5.0.2.2510


My Question would be, where are all the correct server tokens set to disable the versions from displaying?


Thanks for any assistance you can offer.

Joe
 
jlasman said:
Sure.

netcraft.com.

But it shows full information as well.

Jeff

Thank you - which brings me back to my original question:

My Question would be, where are all the correct server tokens set to disable the versions from displaying?

If
ServerSignature Off
ServerTokens Prod

oesn't disable the apache version listing - what does?
 
Last edited:
I previously changed the /etc/httpd/conf/httpd.conf to have:
ServerSignature Off
and my version info is not showing at the sites you list.

I did NOT, however, add or change:
ServerTokens Prod
My conf file has nothing with the word token in it at all. Perhaps this one is messing you up. I am using Apache 1.3.34 like you.

I also noticed this line in the conf file:
SecServerSignature "Apache"
I didn't change this one, but this is the word that pops up on mine my itself, with nothing else listed at all besides that. Perhaps this is used for these sites sometimes. (a total guess)

Also, as an FYI, you can also secure your version of Bind which I see you have not done. To do that, add the first line in the options section in /etc/named.conf as below
options {
version "Version Secured";
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
};

And restart BIND.

You can verify the changes at http://www.dnsreport.com/tools/dnsreport.ch?domain=hostpc.com
Last section in ns section under INFO will show the following after the change:
Your nameservers have the following versions:
(ns1 ip#): "Version Secured"
(ns2 ip#): "Version Secured"
Where as now it shows 9.2.4 for you
 
When I'm at the office I can figure out what we do to new server builds, and report back.

:)

Jeff
 
Back
Top