Thread: [mod-security-users] SecServerSignature not working
Brought to you by:
victorhora,
zimmerletw
From: Uday M. <umo...@gm...> - 2008-05-29 18:52:54
|
Hey, I just installed mod_security 2.5.4 on an ubuntu 8.04 with apache2.2, I'm trying to test the functionnalities of Mod_Security and decided to try out the SecServerSignature and the server signature remains the same. In the error log I get the following : [Thu May 29 14:30:49 2008] [notice] ModSecurity for Apache/2.5.4 ( http://www.modsecurity.org/) configured. My server tokens are set to full and my serversignature is on. Any ideas ? U.M |
From: Brian R. <Bri...@br...> - 2008-05-29 23:52:01
|
The only thing I can think of off-hand is that you are really not set to full (or you have a custom server message) or you are in a reverse proxy mode (in which you need to use mod_header instead). The ServerSignature is not needed as this just controls the footer for server generated documents (you probably want it off). -B Uday MOORJANI wrote: > Hey, > > I just installed mod_security 2.5.4 on an ubuntu 8.04 with apache2.2, > I'm trying to test the functionnalities of Mod_Security and decided to > try out the SecServerSignature and the server signature remains the > same. In the error log I get the following : > > [Thu May 29 14:30:49 2008] [notice] ModSecurity for Apache/2.5.4 > (http://www.modsecurity.org/) configured. > > My server tokens are set to full and my serversignature is on. Any ideas ? > > U.M > -- Brian Rectanus Breach Security |
From: Tom A. <tan...@oa...> - 2008-05-30 17:24:31
|
Brian Rectanus wrote: > The ServerSignature is not needed as this just controls the footer for > server generated documents (you probably want it off). On the contrary, using a false signature to help throw off fingerprinting can be very useful. After all, if some hacker is trying IIS, Sun, or AS400 vulnerabilities, they'll be unlikely to affect your Linux/Apache server. And in the meantime, you can take note of their incessant ill will and blacklist their IP. Tom |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-05-30 17:51:43
|
Just to clarify, there is a ModSecurity directive called SecServerSignature that will spoof the "Server:" response token data if you set the Apache ServerTokens directive to Full. There is also an Apache directive called ServerSignature that is used to add footer information to Apache error pages. Spoofing this data, however, is of little value as the default error pages would still be in the "style" of Apache. So, if you want to obscure this data then you would also then need to use custom ErrorDocuments for all status codes. While I am all for "Security WITH Obscurity" this is ultimately a losing battle. There is no way that you can totally obscure the platform that you are running. One quick test that you can run to identify Apache vs. IIS is to look at the order of the Server and Date headers in the response. Apache is always Date followed by Server and IIS is Server followed by Date. So, even if you are spoofing Microsoft-IIS/6.0 with SecServerSignature, an attacker only needs to look at the header ordering to identify that you are running Apache. You may want to review the Fingerprinting Appendix in the WASC Threat Classification that I authored - http://www.webappsec.org/projects/threat/classes/fingerprinting.shtml Cheers, Ryan > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Tom Anderson > Sent: Friday, May 30, 2008 1:24 PM > To: 'mod...@li...' > Subject: Re: [mod-security-users] SecServerSignature not working > > Brian Rectanus wrote: > > The ServerSignature is not needed as this just controls the footer for > > server generated documents (you probably want it off). > > On the contrary, using a false signature to help throw off > fingerprinting can be very useful. After all, if some hacker is trying > IIS, Sun, or AS400 vulnerabilities, they'll be unlikely to affect your > Linux/Apache server. And in the meantime, you can take note of their > incessant ill will and blacklist their IP. > > Tom > > > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: <chr...@po...> - 2008-06-02 06:29:44
|
I'd like to follow up on Ryan's message here. > While I am all for "Security WITH Obscurity" this is ultimately a losing > battle. There is no way that you can totally obscure the platform that > you are running. When working with obscurity, you have to be very careful about your intentions. Obscurity lures you into a false security feeling. You mean to go unnoticed, while in fact it's plainly obvious what you are hiding. However, there are things you really should do and it has to do with modern style attacking. Amichai Shulman presented on Google Hacking at the OWASP conference in Belgium. http://www.owasp.org/images/6/6a/AppSecEU08-BeyondGoogleHacking-AmichaiS hulman.ppt The point is, that you do not want to show up in google with your Apache version and possibly the PHP version string on top of that. So setting Apache ServerSignature and also ServerTokens is a must. See Ryan's CIS Apache Benchmark for details. -> http://www.cisecurity.org/bench_apache.html And there is more to it. If you are obscuring your server, you are obscuring it for yourself and your friends too. It's likely some analysis tools will cease to work or stop returning valid reports. And if you are gone and somebody takes over your servers (yes, this happens in real life), he might be really puzzled. If you are obscuring things, you and your colleagues may be the first ones to get lost. So better think twice. I reduced all identification strings coming out of my servers to "Apache". Just my 2 cents. Christian |
From: Uday M. <uda...@me...> - 2008-05-30 14:50:00
|
Dear Sir, I can assure you that my tokens are set to Full, it is the default installation of apache2 (in chroot using makejail) and I'm not 'yet' in reverse proxy mode :). I sent you my conf files at your address to take a look, I took the default conf files found on the net and on the mod_sec website. thanks for the helping hand, Uday MOORJANI On Thu, May 29, 2008 at 7:51 PM, Brian Rectanus <Bri...@br...> wrote: > The only thing I can think of off-hand is that you are really not set to > full (or you have a custom server message) or you are in a reverse > proxy mode (in which you need to use mod_header instead). > > The ServerSignature is not needed as this just controls the footer for > server generated documents (you probably want it off). > > -B > > Uday MOORJANI wrote: > > Hey, > > > > I just installed mod_security 2.5.4 on an ubuntu 8.04 with apache2.2, > > I'm trying to test the functionnalities of Mod_Security and decided to > > try out the SecServerSignature and the server signature remains the > > same. In the error log I get the following : > > > > [Thu May 29 14:30:49 2008] [notice] ModSecurity for Apache/2.5.4 > > (http://www.modsecurity.org/) configured. > > > > My server tokens are set to full and my serversignature is on. Any ideas > ? > > > > U.M > > > > > -- > Brian Rectanus > Breach Security > |
From: Brian R. <Bri...@br...> - 2008-05-30 15:57:42
|
You have a typo. This is incorrect: <IfModule mod_security.c> Should be: <IfModule mod_security2.c> So, it probably was not loading that block of the config. -B Uday MOORJANI wrote: > Dear Sir, > > I can assure you that my tokens are set to Full, it is the default > installation of apache2 (in chroot using makejail) and I'm not 'yet' in > reverse proxy mode :). > > I sent you my conf files at your address to take a look, I took the > default conf files found on the net and on the mod_sec website. > > thanks for the helping hand, > > Uday MOORJANI > > On Thu, May 29, 2008 at 7:51 PM, Brian Rectanus > <Bri...@br... <mailto:Bri...@br...>> wrote: > > The only thing I can think of off-hand is that you are really not set to > full (or you have a custom server message) or you are in a reverse > proxy mode (in which you need to use mod_header instead). > > The ServerSignature is not needed as this just controls the footer for > server generated documents (you probably want it off). > > -B > > Uday MOORJANI wrote: > > Hey, > > > > I just installed mod_security 2.5.4 on an ubuntu 8.04 with apache2.2, > > I'm trying to test the functionnalities of Mod_Security and decided to > > try out the SecServerSignature and the server signature remains the > > same. In the error log I get the following : > > > > [Thu May 29 14:30:49 2008] [notice] ModSecurity for Apache/2.5.4 > > (http://www.modsecurity.org/) configured. > > > > My server tokens are set to full and my serversignature is on. Any > ideas ? > > > > U.M > > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |