Apache Banners

Service banner grabbing is no longer the prominent issue it once was. Todays fire and forget worms probe large IP ranges so quickly that they just try to brute force compromise any servers they encounter and hope to get lucky without checking the product name or version of the target.

While these are the most common attacks you will see on your Apache server its also worth noting that they are the easiest ones to defend against. The real problem are the attacks launched with an actual person paying attention to the results. In this entry we’re going to look at minimizing the details they can get regarding your Apache server.

When you make a request to a webserver one of the headers in the response is the ‘Server:’ header, this contains details regarding the server that processed the request and can be a wealth of information, lets look at the value returned from a basic Apache server with some modules compiled in:

Apache/1.3.24 (Unix) Debian GNU/Linux mod_accounting/0.4 PHP/4.1.1 mod_ssl/2.8.7 OpenSSL/0.9.6g mod_perl/1.24

This output was gathered from one of my older test machines, to check the settings on your own server (or anyone else’s if you must) you have two options, an easy and a hard one. The easy option requires you to have a Perl install with LWP, if you have this then you can just run a “HEAD servername | grep ‘^Server’”, this will return the server header and associated details.

If you don’t have a configured Perl install then you can check the details by hand, follow the step by step instructions, after you’ve finished typing press return twice, the headers will then be displayed.

telnet servername 80 HEAD / HTTP/1.0

Now we’ve seen how helpful the default Server header can be and how to check the current value lets bring this to a close and look at how to change the details returned. Apache (both the 1.3.* and 2.0.* series) have a directive called ServerTokens. This takes one of a number of possible options that control how verbose its output is.

The default value (used if no ServerTokens directive is present) and “ServerTokens Full” returns the long overly welcoming version string given above. There are a number of more restrictive steps leading down to the tight lipped “ServerTokens Prod” with returns ‘Apache’.

If you want to read the official word on using the ServerTokens directive docs are available whether your a stalwart conservative using Apache 1.3.* or a dynamic pioneer betting the (server) farm on Apache 2.0. It is worth noting that the 2.0. ServerTokens supports one additional option, ‘Major’ which returns the string ‘Apache/2’.