WebApp Sec mailing list archives

Re: About web server version

From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: 28 Apr 2003 08:02:15 -0700


On Apache 1.3.27:

Edit "httpd.h" located in "apache_dir/src/include/"
Find the following lines and edit them to whatever you want.

#define SERVER_BASEVENDOR   "Apache Group"
#define SERVER_BASEPRODUCT  "Apache"
#define SERVER_BASEREVISION "1.3.27"

Recompile and reinstall apache.


However, the effectiveness of this technique to prevent people from
attacking your web server, I would have to agree with Kurt. Many attacks
by automated scripts are purely shotgun approaches, not caring what web
server your running.

However, there are times when limiting the amount of information
disclosed by your system in a good idea. All depends on the level of
security you feel you need.


Regards,

Jeremiah-




On Sat, 2003-04-26 at 02:17, ystar m wrote:



Hi everybody,
i would like to know if it is possible to modify
information returned by web server (apache) about
version, type :  apache
I have found the solution to hide the version by adding
this rule to the httpd.conf :
ServerTokens Prod
But I would like that this information also not
returned to a malicious user that try to collect
information about  the web server


Best regards

Current thread:

About web server version ystar m (Apr 26)
- Re: About web server version Kurt Seifried (Apr 26)
- Re: About web server version Jeremiah Grossman (Apr 28)
- <Possible follow-ups>
- Re: About web server version ystar m (Apr 28)