”Changing Web Server Identity”

The basic principle of launching an attack against any website is to first get maximum information about the website regarding the web server used at the backend or the modules that have been compiled along with it or something else.This process particularly known as web server fingerprinting or banner grabbing is the basic test module that is run by most of the crawlers or vulnerability scanners based on which it identifies the vulnerabilities.So to secure the websites at the very first end , this article of mine helps to hide the server identity if the web server being used is apache.

What is Web Server Fingerprinting ?

As explained earlier, Web Server Fingerprinting is the process of knowing the basic details about the webserver and other essential options passed along with it during compilation.The information revealed can be helpful to website hackers in the way that through the knowledge of web server and its version being run , they can search for the vulnerabilities that do exist in these web servers and corresponding versions.These vulnerabilities can be easily found on the internet over the websites like www.secunia.com , cve.mitre.org and many more.Having said that much , lets come to the point of hiding the necessary information from being getting revealed.How this server and version informatin is obtained has been explained below:

secaudimachine# telnet localhost 80

HEAD / HTTP/1.0

After you telnet on port 80 of your local machine type the above and press two times enter.You would be getting the server along with version and much more.If you don’t get anything try with any of the following:

secaudimachine#telnet localhost 80
HEAD / HTTP /1.1

or

secaudimachine#telnet localhost 80

OPTIONS / HTTP/1.0

This example using the OPTIONS method even provides you the methods allowed on the web server and on the basis of this , many crawlers or scanners give the vulnerability of TRACE and TRACK method being enabled on the web server.

If you need to know the web server of some other website , just replace localhost with the name of the website.Even if you don’t want to do all this but still need to know the webserver or the version being run on the website , there are websites like www.netcraft.com which give you this basic information.

How to hide ?

Well there are many methods to do the same depending in which environment you feel comfortable making changes on your web server.Just to hide the very basic information play with the ServerTokens and ServerSignature directives , the information for which can be obtained from apache’s official website www.apache.org. However changes made in these directives have information revealed regarding web server used and its version through error pages and definitely through the telnet method explained below. So lets play with source code directly.

1. If you have been configuring any new server installing apache over it , then before compiling it just make the following changes:

For apache 1: In file httpd.h

Change the values of the following macros:

#define SERVER_BASEVENDOR “Apache Group”
#define SERVER_BASEPRODUCT “Apache”
#define SERVER_BASEREVISION “1.3.29″
#define SERVER_BASEVERSION SERVER_BASEPRODUCT “/” SERVER_BASEREVISION
#define SERVER_PRODUCT SERVER_BASEPRODUCT
#define SERVER_REVISION SERVER_BASEREVISION
#define SERVER_VERSION SERVER_PRODUCT “/” SERVER_REVISION

Make changes as you desire.For instance to get the name of webserver as SUMI on scanning ,just change the macro SERVER_BASEPRODUCT value to “SUMI” instead of “APACHE”. Similar for others.

For apache 2: In file ap_release.h

If you don’t want to change the identity in this manner ,then the another method is to make changes in a particular function which is :

For Apache 1 : ap_set_version() function in file http_main.c

static void ap_set_version(void)
{
/* set the server name */
ap_add_version_component(”Microsoft-IIS/5.0″);
/* do not allow other modules to add to it */
version_locked++;
}
Change the server name to whatever you desire

For Apache 2 : ap_set_version in file core.c

static void ap_set_version(apr_pool_t *pconf)
{
/* set the server name */
ap_add_version_component(pconf, “Microsoft-IIS/5.0″);
/* do not allow other modules to add to it */
version_locked++;
}
2. For those who have alredy thier web servers in running state and can’t afford the downtime involved in the above method , this method gonna work for them.

Through mod_securitymodule,the same information can be changed in runtime.The modules can be easily compiled in runtime using apxs binary and if you have already given the DSO functionality during compilation.As talked earlier about ServerTokens, this method requires its value to be set to Full , thus allowing full information from being revealed. Now what mod_security actually does is that it searches for the whole information in the memory and replaces it with the corresponding information provided by us.The ServerTokens when set to Full causes the webserver to allocate enough space for the name , giving mod_security enough space to make its changes later. Hence enter the following in the configuration file after the mod_security module has been loaded :

ServerTokens Full

SecServerSignature “Fogi”

All the product information is getting revealed since ServerTokens has been set to Full.But because of mod_security module , this value kept in the memory is replaced by the information provided in the SecServerSignature directive. Its simply that easy.

All the methods have been explained to hide the webserver identity.So go for the method which suits best for your web environment.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

15 − 10 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>