[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [SIKKERHED] Annoncere hvilket OS der køres



On Thu, 2004-05-27 at 13:05, Kim Jensen wrote:

Man bör ikke basere sin sikkerhed paa "security through obscurity", men
> der er heller ingen grund til at skilte med al informationen! Apache har
> en dejlig lille indstilling med deres "ServerTokens" tag - der kan sättes
> til kun at sige "Apache", saaledes at man absolut ingen information faar
> fra en server.

For et stykke tid siden lavede jeg et patch, så ServerTokens
i apache conf kunne stilles til "None" (Server header udelades så helt).
Det blev vist skrevet op mod en Apache 1.3.22 og jeg har ikke testet det
med senere versioner, så jeg ved ikke om det virker længere, men det
burde være nemt at rette til...

Mvh,
Christian.

-- patch below --

# This patch will add an additional option to the server token
directive.
# If ServerTokens is set to None, No Server header line will be printed
to
# clients. Mainly, this solves a security issue (not telling a hacker
what 
# kind of http server you are using). Go on, call me paranoid ;-)
# Christian Theil Have, 2001. <sslug@sslug>

Only in apache_1.3.22-modified: Makefile
Only in apache_1.3.22-modified: config.status
Only in apache_1.3.22-modified/src: Configuration.apaci
Only in apache_1.3.22-modified/src: Makefile
Only in apache_1.3.22-modified/src: Makefile.config
Only in apache_1.3.22-modified/src/ap: Makefile
Only in apache_1.3.22-modified/src: apaci
Only in apache_1.3.22-modified/src/include: ap_config_auto.h
diff -C 5 -r apache_1.3.22/src/include/httpd.h
apache_1.3.22-modified/src/include/httpd.h
*** apache_1.3.22/src/include/httpd.h	Tue Oct  9 05:56:05 2001
--- apache_1.3.22-modified/src/include/httpd.h	Tue Dec 11 22:42:21 2001
***************
*** 441,457 ****
--- 441,459 ----
  
  #define SERVER_PRODUCT  SERVER_BASEPRODUCT
  #define SERVER_REVISION SERVER_BASEREVISION
  #define SERVER_VERSION  SERVER_PRODUCT "/" SERVER_REVISION
  enum server_token_type {
+     SrvTk_NONE,         /* No "Server" header is written to client */
      SrvTk_MIN,		/* eg: Apache/1.3.0 */
      SrvTk_OS,		/* eg: Apache/1.3.0 (UNIX) */
      SrvTk_FULL,		/* eg: Apache/1.3.0 (UNIX) PHP/3.0 FooBar/1.2b */
      SrvTk_PRODUCT_ONLY	/* eg: Apache */
  };
  
  API_EXPORT(const char *) ap_get_server_version(void);
+ API_EXPORT(const char *) ap_get_server_version_header(void);
  API_EXPORT(void) ap_add_version_component(const char *component);
  API_EXPORT(const char *) ap_get_server_built(void);
  
  /* Numeric release version identifier: MMNNFFRBB: major minor fix
final beta
   * Always increases along the same track as the source branch.
Only in apache_1.3.22-modified/src/include: httpd.h~
Only in apache_1.3.22-modified/src/lib: Makefile
Only in apache_1.3.22-modified/src/lib/expat-lite: Makefile
Only in apache_1.3.22-modified/src/main: Makefile
diff -C 5 -r apache_1.3.22/src/main/http_core.c
apache_1.3.22-modified/src/main/http_core.c
*** apache_1.3.22/src/main/http_core.c	Tue Sep  4 20:15:15 2001
--- apache_1.3.22-modified/src/main/http_core.c	Tue Dec 11 21:56:14 2001
***************
*** 2733,2742 ****
--- 2733,2743 ----
   * string.
   */
  
  static const char *set_serv_tokens(cmd_parms *cmd, void *dummy, char
*arg) 
  {
+     /* FIXME: The use of strcasecmp annoys me */
      const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
      if (err != NULL) {
          return err;
      }
  
***************
*** 2749,2758 ****
--- 2750,2762 ----
      else if (!strcasecmp(arg, "Full")) {
          ap_server_tokens = SrvTk_FULL;
      }
      else if (!strcasecmp(arg, "Prod") || !strcasecmp(arg,
"ProductOnly")) {
          ap_server_tokens = SrvTk_PRODUCT_ONLY;
+     } 
+     else if (!strcasecmp(arg, "None")) {
+         ap_server_tokens = SrvTk_NONE;
      }
      else {
  	return ap_pstrcat(cmd->pool, "Unrecognised ServerTokens keyword: ",
  			  arg, NULL);
      }
***************
*** 3206,3216 ****
  #ifdef WIN32
  { "ScriptInterpreterSource", set_interpreter_source, NULL,
OR_FILEINFO, TAKE1,
    "Where to find interpreter to run Win32 scripts - Registry or Script
(shebang line)" },
  #endif
  { "ServerTokens", set_serv_tokens, NULL, RSRC_CONF, TAKE1,
!   "Tokens displayed in the Server: header - Min[imal], OS,
Prod[uctOnly], Full" },
  { "LimitRequestLine", set_limit_req_line, NULL, RSRC_CONF, TAKE1,
    "Limit on maximum size of an HTTP request line"},
  { "LimitRequestFieldsize", set_limit_req_fieldsize, NULL, RSRC_CONF,
TAKE1,
    "Limit on maximum size of an HTTP request header field"},
  { "LimitRequestFields", set_limit_req_fields, NULL, RSRC_CONF, TAKE1,
--- 3210,3220 ----
  #ifdef WIN32
  { "ScriptInterpreterSource", set_interpreter_source, NULL,
OR_FILEINFO, TAKE1,
    "Where to find interpreter to run Win32 scripts - Registry or Script
(shebang line)" },
  #endif
  { "ServerTokens", set_serv_tokens, NULL, RSRC_CONF, TAKE1,
!   "Tokens displayed in the Server: header - None, Min[imal], OS,
Prod[uctOnly], Full" },
  { "LimitRequestLine", set_limit_req_line, NULL, RSRC_CONF, TAKE1,
    "Limit on maximum size of an HTTP request line"},
  { "LimitRequestFieldsize", set_limit_req_fieldsize, NULL, RSRC_CONF,
TAKE1,
    "Limit on maximum size of an HTTP request header field"},
  { "LimitRequestFields", set_limit_req_fields, NULL, RSRC_CONF, TAKE1,
diff -C 5 -r apache_1.3.22/src/main/http_main.c
apache_1.3.22-modified/src/main/http_main.c
*** apache_1.3.22/src/main/http_main.c	Sat Oct  6 04:21:11 2001
--- apache_1.3.22-modified/src/main/http_main.c	Tue Dec 11 22:59:43 2001
***************
*** 412,421 ****
--- 412,429 ----
  API_EXPORT(const char *) ap_get_server_version(void)
  {
      return (server_version ? server_version : SERVER_BASEVERSION);
  }
  
+ API_EXPORT(const char *) ap_get_server_version_header (void)
+ {
+     if (ap_server_tokens == SrvTk_NONE)
+ 	return NULL;
+     else 
+ 	return ap_get_server_version();
+ }
+ 
  API_EXPORT(void) ap_add_version_component(const char *component)
  {
      if (! version_locked) {
          /*
           * If the version string is null, register our cleanup to
reset the
***************
*** 450,459 ****
--- 458,471 ----
      else if (ap_server_tokens == SrvTk_MIN) {
  	ap_add_version_component(SERVER_BASEVERSION);
      }
      else {
  	ap_add_version_component(SERVER_BASEVERSION " (" PLATFORM ")");
+ 	/* Note, this will also if ap_server_tokens == SrvTk_NONE 
+          * The only place this has influence is in
ap_basic_http_header
+          * in http_protocol.c, where no "Server" header is created 
+          * - Christian Theil Have, <sslug@sslug> */
      }
      /*
       * Lock the server_version string if we're not displaying
       * the full set of tokens
       */
Only in apache_1.3.22-modified/src/main: http_main.c~
diff -C 5 -r apache_1.3.22/src/main/http_protocol.c
apache_1.3.22-modified/src/main/http_protocol.c
*** apache_1.3.22/src/main/http_protocol.c	Fri Jun 22 14:43:54 2001
--- apache_1.3.22-modified/src/main/http_protocol.c	Tue Dec 11 23:02:54
2001
***************
*** 1493,1506 ****
      /* Output the HTTP/1.x Status-Line and the Date and Server fields
*/
  
      ap_rvputs(r, protocol, " ", r->status_line, CRLF, NULL);
  
      ap_send_header_field(r, "Date", ap_gm_timestr_822(r->pool,
r->request_time));
!     ap_send_header_field(r, "Server", ap_get_server_version());
  
      ap_table_unset(r->headers_out, "Date");        /* Avoid bogosity
*/
!     ap_table_unset(r->headers_out, "Server");
  #ifdef CHARSET_EBCDIC
      POP_EBCDIC_OUTPUTCONVERSION_STATE_r(r);
  #endif /*CHARSET_EBCDIC*/
  }
  
--- 1493,1510 ----
      /* Output the HTTP/1.x Status-Line and the Date and Server fields
*/
  
      ap_rvputs(r, protocol, " ", r->status_line, CRLF, NULL);
  
      ap_send_header_field(r, "Date", ap_gm_timestr_822(r->pool,
r->request_time));
! 
!     /* Hack warning: */
!     if (ap_get_server_version_header())
! 	ap_send_header_field(r, "Server", ap_get_server_version_header());
  
      ap_table_unset(r->headers_out, "Date");        /* Avoid bogosity
*/
!     if (ap_get_server_version_header())
! 	ap_table_unset(r->headers_out, "Server");
  #ifdef CHARSET_EBCDIC
      POP_EBCDIC_OUTPUTCONVERSION_STATE_r(r);
  #endif /*CHARSET_EBCDIC*/
  }
  
Only in apache_1.3.22-modified/src/main: http_protocol.c~
Only in apache_1.3.22-modified/src/modules: Makefile
Only in apache_1.3.22-modified/src/modules/proxy: Makefile
Only in apache_1.3.22-modified/src/modules/standard: Makefile
Only in apache_1.3.22-modified/src: modules.c
Only in apache_1.3.22-modified/src/os/unix: Makefile
Only in apache_1.3.22-modified/src/regex: Makefile
Only in apache_1.3.22-modified/src/support: Makefile


 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 20:47 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *