Re: response header fields

[Chris Brenton <cbrenton () chrisbrenton org>]

On Wed, 2009-08-12 at 21:00 +0200, Edjenguele wrote:
> > Or just edit httpd.conf and change "ServerTokens" to "Prod".
>
> yes, but this only reduce the signature to the "product name" so
> "Apache",

Agreed, although you can also enumerate that by looking at returning
error codes. You can't hide which Web server product you are running.
You can however make it a little more difficult to enumerate version.

>  even if it doesn't reveal the os type a malicious user can
> force an attack by trying all possible exploit against the host.

Agreed. That's why I also wrote:

> > Without the benefit of the banner, the attacker would be forced to try
> > each of their attacks in order to see if they will work. If we are
> > vulnerable, we’re still going to get whacked. If we’re not, we have just
> > forced the attacker to start generating log entries that will clue us in
> > that the source IP is hostile. In other words, we’ve called their bluff
> > so we now get to see their losing cards. This gives us an audit history
> > and time to respond accordingly.

HTH,
C
---
www.chrisbrenton.org



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------