Just to clarify, there is a ModSecurity directive called
SecServerSignature that will spoof the "Server:" response token data if
you set the Apache ServerTokens directive to Full.
There is also an Apache directive called ServerSignature that is used to
add footer information to Apache error pages. Spoofing this data,
however, is of little value as the default error pages would still be in
the "style" of Apache. So, if you want to obscure this data then you
would also then need to use custom ErrorDocuments for all status codes.
While I am all for "Security WITH Obscurity" this is ultimately a losing
battle. There is no way that you can totally obscure the platform that
you are running. One quick test that you can run to identify Apache vs.
IIS is to look at the order of the Server and Date headers in the
response. Apache is always Date followed by Server and IIS is Server
followed by Date. So, even if you are spoofing Microsoft-IIS/6.0 with
SecServerSignature, an attacker only needs to look at the header
ordering to identify that you are running Apache. You may want to
review the Fingerprinting Appendix in the WASC Threat Classification
that I authored -
> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of Tom
> Sent: Friday, May 30, 2008 1:24 PM
> To: 'mod-security-users@...'
> Subject: Re: [mod-security-users] SecServerSignature not working
> Brian Rectanus wrote:
> > The ServerSignature is not needed as this just controls the footer
> > server generated documents (you probably want it off).
> On the contrary, using a false signature to help throw off
> fingerprinting can be very useful. After all, if some hacker is
> IIS, Sun, or AS400 vulnerabilities, they'll be unlikely to affect your
> Linux/Apache server. And in the meantime, you can take note of their
> incessant ill will and blacklist their IP.
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> mod-security-users mailing list