Tom Anderson wrote:
> Is there any way to change the order of fields output by Apache using
> mod_security? Eg, IIS and Netscape output the server field, then the
> date field, but Apache does the date first. To help prevent
> fingerprinting, I'd like to reorder the fields.
No, because that's not something you can do with Apache (without
changing the source code). Apache hard-codes two of the headers,
Date and Server and there's nothing one can do about it.
Therefore the only way to hide Apache is to put a reverse proxy
in front of it and instruct the reverse proxy to shuffle the
headers. But even if you did that you would still have to handle
some other signs you are running Apache - the contents of the
ETag header, for example.
Header shuffling is potentially useful when Apache is used as
a reverse proxy. In this mode of operation Apache will use the
headers received from the remote server and not send its own. The
only drawback of this solution is that it is trivial to discover
the identity of the Apache reverse proxy. Just send it a bad
request.
--
Ivan Ristic (http://www.modsecurity.org)
|
