AlanLok dot Com » apache http://www.alanlok.com the place where I rave and rant about all my tech toys... and bore my friends with my camera :) Wed, 28 Sep 2011 02:04:51 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Locking down Apache Web Server http://www.alanlok.com/2009/07/23/locking-down-apache-web-server/ http://www.alanlok.com/2009/07/23/locking-down-apache-web-server/#comments Thu, 23 Jul 2009 17:12:02 +0000 alan http://www.alanlok.com/?p=23 I was just looking through a security audit of some sites, and half of the complaints include “the ability for people to know your underlying technology”. For those who are using Apache 1.3 or above (and using a distro that has configuration files in /etc/httpd/conf.d), you will find this solution helpful. Simply create a file called /etc/httpd/conf.d/0-security.conf with the below content:

ServerSignature Off

ServerTokens Prod

TraceEnable Off

<Directory />

 <LimitExcept POST GET HEAD>

  Order deny,allow

  Deny from all

 </LimitExcept>

</Directory>

Save it, restart httpd and you are “more” protected… a few notes:

  1. This assumes that your application will only use GET, POST or HEAD. If your application is fancy (or you don’t know your app, then you might want to get rid of the LimitExcept directive)
  2. If your application (or application container such as PHP, Python or Java) generates additional HTTP headers that identify their technology, then you might want to use mod_headers to them.
  3. Anyone with an ounce of network knowledge would know that you can figure out the underlying technology by probing at the TCP layers (nmap with the OS fingerprinting option is very handy). So don’t let auditors fool you – you can’t hide unless you have a security device in front of your servers that remove traces of OS “uniqueness” in layer 3.
]]> http://www.alanlok.com/2009/07/23/locking-down-apache-web-server/feed/ 0