content:en_us:kb_3rdparty_security_metrics_http_server_type_and_version

HTTP Server Type and Version

This entry from Security Metrics indicates that some risk may derived from knowing the version of the underlying Apache server.

ClearCenter response

Short response

This issue does not present a tangible risk to the running system.

Long response

Knowing the server version does not present a specific risk. The argument is that it can be construed that knowledge of the type of server running will embolden a hacker into further investigation. It can also be construed that knowing the server version dissuades further investigation as this system receives timely updates.

Resolution

No action required.

Optionally, if you want to remove the OS and version reported by your Apache Web Server, perform the following:

First, establish a baseline by looking at your own headers:

curl --head localhost

Next, modify the /etc/httpd/conf/httpd.conf file and change the following two lines (To modify this on Webconfig [port 81], use /usr/clearos/sandbox/etc/httpd/conf/httpd.conf ):

ServerSignature On
Server Tokens OS

to:

ServerSignature Off
Server Tokens Prod

(optional) … and while you are at it, close down php from revealing its version as well by modifying /etc/php.ini and changing:

expose_php = On

to this:

expose_php = Off

Restart the web service:

service httpd restart

Lastly, re-examine the reporting service:

curl --head localhost

search?q=clearos%2C%20clearos%20content%2C%203rd%20party%2C%20security%20metrics%2C%20non-cve%2C%20maintainer_dloper&btnI=lucky

content/en_us/kb_3rdparty_security_metrics_http_server_type_and_version.txt · Last modified: 2015/01/29 16:36 (external edit)

Page Tools