In a perfect world you should be ok with whatever default configuration your server comes with. You install your server – set a decent iptables rules and you should be good to go as long as you do regular updates. But we don’t live in a perfect world and the default server configurations are almost always not the best configuration, more so when it comes to security. One of the many ways an attacker plots their attack is by gaining as much information they can get about the server software and more specifically which version of the package they are running. Some of these packages may have very well known exploits in the wild which can be used to compromise the server. Of course if you are running a version of the server package that has well-known exploits in the wild, obscuring server signature will only delay the inevitable.
But even when you are running a patched and up to date version of the server, obscuring your server signature adds a layer of protection on an already secured system. Most people who argue against security by obscurity, fear that this will only make people lazy towards implementing standard security practices. To them I have to say that “You can’t cure stupidity”.
Changing Server Signature with mod_security
ModSecurity works like a firewall for Apache, it checks, logs and prevents malicious activity using a set of rules. Unfortunately libapache2-mod-security package have been removed from debian/Ubuntu repositories so you will need to manually download the package and install it, which is as simple as selecting the right package for your platform and installing it with dpkg. Installing from source can be a bit tricky but its worth the trouble. After you have successfully installed mod_security you will need to reload/restart apache for changes to take effect.
To configure custom Server Header, edit your apache configuration file (usually apache2.conf) and turn off ServerSignature and add a new entry called “SecServerSignature” followed by the custom server information you want to reveal to the outside world. The best practice is to use a very obscure server name or version that doesn’t exist (i.e. Apache 3.9). But you can also show off to your friends (or baffle script kiddies) with funny entries:
1: ServerSignature Off
2: SecServerSignature "This Server is running on Caffeine."
Need apache reload to take effect.
You can use services like securi.net to instantly check if your custom server signature is actually working:
Or Netcraft, which takes few days to update:
Filed under: Linux & Open Source, Security
Follow us on twitter
Comments:
-
Pavs
07/07/2009@Iowe Nmap does OS fingerprinting not Server fingerprinting to the best of my knowledge. Nmap doesn’t work on this. I tried it.
-
root
07/07/2009for the lightty fans:
add this to your conf for the same effect
server.tag = “lighttpd”and force-reload to take effect.
-
Skeptic
07/07/2009The fact of changing the signature alone already gives out that you are using Apache. Plus Apache is the most popular webserver anyway.
-
Dave
07/07/2009There is no danger in letting people know you are using Apache. There are only a few choices of web server and going through them all is very quick.
There is a danger in letting people know which version of Apache you are using, particularly if it’s out of date. Exposing the version doesn’t increase how vulnerable you are but it does reduce the time it would take an attacker to find the vulnerability in your installation.
The same goes for PHP and any modules you have installed that announce themselves in the headers.
-
dd
07/07/2009To Dave and Skeptic:
There is no danger in letting people know that you use Apache, but do they need to know that?
One of the basic security principles are “least privilege” and “need to know”, meaning give your users the least privilege and least amount of information they need to know to do their job.
A visitor to your web site has no need to know which web server you are running, which application, os, etc…
Just taking security one step forward (not through obscurity, but WITH obscurity)
-
robohara
07/07/2009I don’t think there’s any problem with Security through Obscurity when it is used in conjunction with traditional security methods … but it’s particularly dangerous when administrators rely solely on it.
-
Otto
07/07/2009While funny and somewhat entertaining, this measure adds no security of any kind.
Security through obscurity is wrong and dangerous.
- Wrong because it isn’t security in any way.
- Dangerous because misinformation like this makes people think they are taking valid security measures when they are not.I’m very disappointed to see this kind of incorrect material being spread here.
-
David
07/07/2009So change your tag to say that it’s a Microsoft IIS server. Then not only will they not know it’s Apache, but they will only try exploits that don’t work on Apache.
-
Fox
07/07/2009Do you honestly think attackers don’t know about the ability of a web server’s signature to be altered? Do you honestly think attackers bother to even check a web server’s signature at all before commencing an attack? They don’t bother – attackers simply fire up their automations which unconditionally attempt to compromise a target.
SecServerSignature provides absolutely no security whatsoever. Zero.
In fact, not only does SecServerSignature provide no additional “layer of protection”, it actually reduces security, by definition. Any secret piece of information (server type/version) constitutes a point of potential compromise. As such, fewer secrets makes for a more secure system since there are fewer potential compromises.
Additionally, by changing your web server’s signature, and causing it to misidentify itself, you’re breaking anything that depends on that data being accurate. Much like web applications that have branching logic for different browsers, there are things that have branching logic for different servers. Not to mention skewing web services that report on market share, adoption rates, and such of web servers across the internet.
You should always come from the perspective of an attacker already having intimate details of your system, and you should plan from there, accordingly. Attempting to hide this information is a fool’s errand, does not increase security at all, and detracts from time that could have been spent on implementation actual security improvements. If you’re not 100% secure with them having intimate details of your system, you’re not secure, period.
While I appreciate that you’re promoting security, I feel that you’re doing the community a disservice by promoting security through obscurity. I think we’d be much better off if your writings focused on things you’ve already mentioned that actually do materially increase security: regular updates, software firewalls, secure configurations, etc.
Loading ...
07/07/2009
Hmmmmm, Caffeine! I like it!