Security Basics mailing list archives
Re: response header fields
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Wed, 12 Aug 2009 15:27:13 -0400
On Wed, 2009-08-12 at 21:00 +0200, Edjenguele wrote:
Or just edit httpd.conf and change "ServerTokens" to "Prod".yes, but this only reduce the signature to the "product name" so "Apache",
Agreed, although you can also enumerate that by looking at returning error codes. You can't hide which Web server product you are running. You can however make it a little more difficult to enumerate version.
even if it doesn't reveal the os type a malicious user can force an attack by trying all possible exploit against the host.
Agreed. That's why I also wrote:
Without the benefit of the banner, the attacker would be forced to try each of their attacks in order to see if they will work. If we are vulnerable, we’re still going to get whacked. If we’re not, we have just forced the attacker to start generating log entries that will clue us in that the source IP is hostile. In other words, we’ve called their bluff so we now get to see their losing cards. This gives us an audit history and time to respond accordingly.
HTH, C --- www.chrisbrenton.org ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- response header fields Andre Rodrigues (Aug 12)
- Re: response header fields Edjenguele (Aug 12)
- Re: response header fields Aarón Mizrachi (Aug 12)
- Re: response header fields Chris Brenton (Aug 12)
- Re: response header fields Edjenguele (Aug 12)
- Re: response header fields Chris Brenton (Aug 12)
- Re: response header fields Aarón Mizrachi (Aug 12)
- Re: response header fields Edjenguele (Aug 12)
- Re: response header fields Federico Maggi (Aug 12)