Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


HTTP Server Type and Version

This entry from Security Metrics indicates that some risk may derived from knowing the version of the underlying Apache server.

ClearCenter response

Short response

This issue does not present a tangible risk to the running system.

Long response

Knowing the server version does not present a specific risk. The argument is that it can be construed that knowledge of the type of server running will embolden a hacker into further investigation. It can also be construed that knowing the server version dissuades further investigation as this system receives timely updates.

Resolution

No action required.

Optionally, if you want to remove the OS and version reported by your Apache Web Server, perform the following:

First, establish a baseline by looking at your own headers:

curl --head localhost

Next, modify the /etc/httpd/conf/httpd.conf file and change the following two lines (To modify this on Webconfig [port 81], use /usr/clearos/sandbox/etc/httpd/conf/httpd.conf ):

ServerSignature On
Server Tokens OS

to:

ServerSignature Off
Server Tokens Prod

(optional) … and while you are at it, close down php from revealing its version as well by modifying /etc/php.ini and changing:

expose_php = On

to this:

expose_php = Off

Restart the web service:

service httpd restart

Lastly, re-examine the reporting service:

curl --head localhost
content/en_us/kb_3rdparty_security_metrics_http_server_type_and_version.txt · Last modified: 2015/01/29 09:36 (external edit)

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_3rdparty_security_metrics_http_server_type_and_version&1710825116