The first thing that the hacker will do while attacking your web application is to get information about your web server. Using netcat tool is pretty easy even for script kiddies. For example firing the next simple command can get the web server brand, version name and operating system
nc xxx.xxx.xxx.xxx 80 HEAD / HTTP/1.0
Here is the result
HTTP/1.1 200 OK Date: Fri, 20 Jan 2012 14:24:08 GMT Server: Apache/2.2.16 (Debian) Last-Modified: Tue, 15 Nov 2011 09:24:49 GMT ETag: "180d5-b1-4b1c28f12fa40" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html
As you can see some dangerous information are available about the web server.
Also if you tried to request a non-existing page the server will respond with full details about it and the host OS
Not Found The requested URL /hack-test was not found on this server. Apache/2.2.20 (Unix) DAV/2 PHP/5.3.6 with Suhosin-Patch Server at localhost Port 80
Fortunately a mitigation for such a leakage in apache is simple
- To hide server details shown when you request a non-existing page, you need to add the following line to httpd.conf (or whatever the apache configuration file name)
ServerSignature Off
This will remove the server details from the page
- To hide server details from the response header, you need to install mod_security module for apache (in Debian servers the task is easy enough)
apt-get install libapache2-mod-security2
then add the following line to httpd.conf (or whatever the apache configuration file name)
ServerTokens Full SecServerSignature "Web Server"
This will show the word “Web Server” instead of you full server details
Sure there are other ways to determine the server banner using fingerprinting, but this will be for another post
