Joshua, that is not entirely true. By making believe you're running a different webserver than you really are ... you can potentionally buy yourself some valuable time. If an attacker wants to attack/criple your site, he/she will most likely first try all known vulnerabilities for that webserver first. So, if you make it appear you're running IIS, while in reality you're running Apache, there is a big chance you'll see IIS attacks hit your webserver first, which will hopefully set off your IDS. I have modsecurity running on my apache instances, and I often see all kinds of IIS exploits hitting my box. This then gives me time to look thru my various apache and firewall logs, and take some corrective measures like for instance slapping some IPTables rules on the box to block that IP. If I wouldn't be masking my web server, I'd probably get hit with Apache exploits right-away, which could potentionally give me less time to respond since an attacker could potentionally find either a way in and/or do damage much quicker. Granted, this is not ALWAYS the case ... but in my experience it really does help. --- Joshua Slive <joshua@xxxxxxxx> wrote: > On 1/24/07, Simon Ashford <Simon.Ashford@xxxxxxxxx> > wrote: > > > > Hmmm... > > > > Doesn't seem to work. Still get "Server: Apache" > in the > > HTTP headers regardless of SecServerSignature. > > > > Get the impression from various reading that the > Server > > header is added by Apache pretty much at the very > end of > > processing, after anything done by other modules. > > > > Probably something the developers ought to > adddress. It would > > be nice, for example, to be able to put > "ServerTokens None" > > or some such in the basic configuration file > without needing > > any other modules loaded... > > Go search the dev list. You'll see that this > question has been > addressed in depth, probably a dozen different > times. The answer is: > You don't gain any security by omitting or lying in > the Sever header, > so it is your "security audit" that is faulty, not > apache. > > (Many of us would still like to see the > "ServerTokens None" option, > but only to get rid of silly discussions like these. > It doesn't > actually do any good and can potentially do harm.) > > Joshua. > > --------------------------------------------------------------------- > The official User-To-User support forum of the > Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for > more info. > To unsubscribe, e-mail: > users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: > users-help@xxxxxxxxxxxxxxxx > > ____________________________________________________________________________________ Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|