Getting apache to stop displaying banner on errors.
Hello, By default apache shows it's "name and number" on 404 pages (probably others too): Apache/1.3.14 Server at asdf.com Port 80 I'd like to get rid of that. What's the proper way to remove that? I'd like to have it just give the webmaster@ email address without divulging any info ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
On Fri, 8 Jun 2001, JW wrote:
By default apache shows it's "name and number" on 404 pages (probably others too):
Apache/1.3.14 Server at asdf.com Port 80
I'd like to get rid of that. What's the proper way to remove that? I'd like to have it just give the webmaster@ email address without divulging any info
create your own error-documents - see "ErrorDocument" in the apache documentation and in httpd.conf. c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)
On Fri, Jun 08, 2001 at 17:37 -0500, JW wrote:
By default apache shows it's "name and number" on 404 pages (probably others too):
Apache/1.3.14 Server at asdf.com Port 80
I'd like to get rid of that. What's the proper way to remove that? I'd like to have it just give the webmaster@ email address without divulging any info
Dumb question: What does it buy you? That's called toying with banners and falls into the security by obscurity category. If you change banners, there's still the possibility of fingerprinting a service. If you believe in this to work for you, make sure you change the HTTP/1.x response headers, too. BTW: you did have a look at the server's configuration file, didn't you? Because the settings are in there and are very well documented ... If you think about it again, there's absolutely no benefit in such actions. Hiding the version doesn't make the builtin and configured bugs disappear. When kids don't know what version of a service is running, they simply try nudging with all the tools they have available. Many of them aren't even able to tell one OS from another. It's been funny to me in the beginning and has become boring by now to see them running Apache and IIS exploits plus all the Windows specific stuff against a publicfile server (which definitely only runs on UNIX flavours). And there have been numerous discussions about "don't believe in banners, try for all the bugs since some admins think they can fool you this easily". The baseline is: As soon as you provide a service on the net you will get probed and nudged. Make sure you use decent software and configure it correctly. Everything else is fooling yourself if you believe it's a solution and not just a hack. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
I'd like to get rid of that. What's the proper way to remove that? I'd like to have it just give the webmaster@ email address without divulging any info
Dumb question: What does it buy you? That's called toying with
It may prevent an attack or confuse an attackers script. I used to set my sendmail banners to report ancient versions. As long as this is not your only line of defence then why not, in most cases it doesn't take a lot of effort. -Kurt
* JW wrote on Fri, Jun 08, 2001 at 17:37 -0500:
Apache/1.3.14 Server at asdf.com Port 80
Search online documentation for ServerSignature (maybe this option has some slightly different name). Then please reply and post the solution (for the list archives). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 09 June 2001 11:24, Steffen Dettmer babbled:
* JW wrote on Fri, Jun 08, 2001 at 17:37 -0500:
Apache/1.3.14 Server at asdf.com Port 80
Search online documentation for ServerSignature (maybe this option has some slightly different name). Then please reply and post the solution (for the list archives).
oki,
Steffen
It's simplw. No searching needed. ServerSignature On - you get what you are getting. ServerSignature Off - you get nada. ServerSignature Email - you get what you are getting as well as the webmaster email address (as set in httpd.conf) - -- Douglas J. Hunley (Linux User #174778) http://hunley.homeip.net/ http://linux.nf/ "Until you stalk and overrun, you can't devour anyone." --- Hobbes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEUEARECAAYFAjsiWZMACgkQOPP+k4ZeTm0kJACYurvkIGyK3677Pgkz0INu6fuv xACfefFgDMlgag8ABOXWb7+hI5+Zv90= =7cHr -----END PGP SIGNATURE-----
participants (6)
-
Douglas J. Hunley -
Gerhard Sittig -
JW -
Kurt Seifried -
Steffen Dettmer -
Sven Koch