I am trying to reduce the amount of information given out when someone tries
to Banner Grab for Version information. I read that "ServerToken" directive
in httpd.conf file will limit the amount of information given out. First off
I didn't find the "ServerToken" in the httpd.conf with a search. So I
added it in the Global Setting section (where I found it on RedHat box).
Set it to "ServerToken Prod" or "OS" or "Min" no quotation marks of course.
"ServerSignature On" changed it to "Off", restarted httpd, and then ran
HTTP/1.0" and it still comes back with
HEAD / HTTP/1.0
Last-Modified: Wed, 11 May 2005 20:16:21 GMT
Client-Date: Tue, 31 May 2005 04:49:32 GMT
404 Not Found
Date: Tue, 31 May 2005 04:31:44 GMT
Server: Apache/2.0.49 (Unix) PHP/4.3.9 # How do I get rid of this an say
Content-Type: text/html; charset=ISO-8859-1
Client-Date: Tue, 31 May 2005 04:49:33 GMT
X-Cache: MISS from firewall.domainname
X-Powered-By: PHP/4.3.9 # How do I get rid of this and say something
I guess my question should be what controls the amount of information given
out ServerTokens, ServerSignature, or something else? And to configure these
items do I make my changes in the httpd.conf, or httpd.conf.SuSEconfig, or
in /etc/sysconfig/apache? Which file and variable controls what gets
displayed. I have made changes to SeverTokens and ServerSignature in
httpd.conf and httpd.conf.SuSEconfig, and HTTPD_SEC_SAY_FULLNAME directive
to "no" in /etc/sysconfig/apache at different times and then restarted the
httpd with rchttpd restart, and then did the "HEAD / HTTP/1.0" from the
command line and I always get the above with no changes.
What AM I DOING WRONG?
Any help here would be appreciated.