Hello:
I am trying to reduce the amount of information given out when someone tries
to Banner Grab for Version information. I read that "ServerToken" directive
in httpd.conf file will limit the amount of information given out. First off
I didn't find the "ServerToken" in the httpd.conf with a search. So I
added it in the Global Setting section (where I found it on RedHat box).
Set it to "ServerToken Prod" or "OS" or "Min" no quotation marks of course.
I found
"ServerSignature On" changed it to "Off", restarted httpd, and then ran
"HEAD /
HTTP/1.0" and it still comes back with
HEAD / HTTP/1.0
200 OK
Content-Length: 720
Content-Type: text/html
Last-Modified: Wed, 11 May 2005 20:16:21 GMT
Client-Date: Tue, 31 May 2005 04:49:32 GMT
404 Not Found
Date: Tue, 31 May 2005 04:31:44 GMT
Server: Apache/2.0.49 (Unix) PHP/4.3.9 # How do I get rid of this an say
something else
Content-Length: 1335
Content-Type: text/html; charset=ISO-8859-1
Client-Date: Tue, 31 May 2005 04:49:33 GMT
Client-Response-Num: 1
Proxy-Connection: close
X-Cache: MISS from firewall.domainname
X-Powered-By: PHP/4.3.9 # How do I get rid of this and say something
else
I guess my question should be what controls the amount of information given
out ServerTokens, ServerSignature, or something else? And to configure these
items do I make my changes in the httpd.conf, or httpd.conf.SuSEconfig, or
in /etc/sysconfig/apache? Which file and variable controls what gets
displayed. I have made changes to SeverTokens and ServerSignature in
httpd.conf and httpd.conf.SuSEconfig, and HTTPD_SEC_SAY_FULLNAME directive
to "no" in /etc/sysconfig/apache at different times and then restarted the
httpd with rchttpd restart, and then did the "HEAD / HTTP/1.0" from the
command line and I always get the above with no changes.
What AM I DOING WRONG?
Any help here would be appreciated.
Thanks:
Steve