[WEB SECURITY] Securing apache installation with PHP

Ryan Barnett rcbarnett at gmail.com
Thu May 19 11:14:41 EDT 2005

I wanted to give everyone a quick teaser on some Apache obfuscation info.  

<Warning: PR Info>
I am currently writing a book for Prentice-Hall/Addison-Wesley
tentatively entitled "Web Intrusion Detection and Prevention with
Apache".  In it, I discuss a little known (at least by me and anyone
else I had presented this idea to) technique of altering not only the
Server banner token info but also any of the other outbound headers.

Here is a small excerpt from my chapter -

Banner Obfuscation with Apache's Output Filtering
If you are not using Mod_Security, which by this point I cannot think
of a reason why you wouldn't be using it, you can still accomplish
this same task using the Apache 2.0 Output Filters.  We briefly
discussed using the output filtering in chapter 8 when we needed to
fix some of the Buggy Bank login html data returned to the client.  In
this case, however, we need to alter the Server token of the HTTP
Response Header instead of the html output.  This can be accomplished
by the following output filter directives -

ExtFilterDefine fixbanner mode=output ftype=30 \
cmd="/bin/sed s|Apache.*$|Netscape-Enterprise/4\.1|g"

SetOutputFilter fixbanner

The first line defines our new filter is called, appropriately enough,
"fixbanner."  Two important pieces of information to note with this
ExtFilterDefine directive –

1.  We are using "ftype=30" to tell Apache which filter hook to use. 
Here is a section of text from the Apache util_filter.h header file
describing the AP_FTYPE_PROTOCOL type 30 –

/** These filters are used to handle the protocol between server * and
client.  Examples are HTTP and POP. */    AP_FTYPE_PROTOCOL     = 30,

2.  We are using the "sed" command to substitute the Apache banner
information with our new data – Netscape-Enterprise/4.1.  In order for
the sed command to work properly with Apache, we need to use an
alternate substitution delimiter.  Normally, the forward slash
character is used, however we are using the forward slash in our
substitution text (/4.1) and the sed command was not working properly
until I changed the delimiter.

</Warning: PR Info>

This is just one example of levaraging Apache 2.0's Output Filtering
capabilities.  Get creative as I am sure that others will be able to
come up with other fun security uses for Output filtering :)

Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache

On 5/19/05, Peter Motykowski <pmotykowski at suncorp.coop> wrote:
> My favorite obscurity layer of security in Apache is modifying the "ServerTokens" option.  The default setting dumps unnecessary version information into the server signature and looks something like this:
> Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7a PHP/5.0.4 mod_jk/1.2.10 Server at domain.com Port 80
> Change the setting to "ServerTokens Prod" and you get this:
> Apache Server at domain.com Port 80
> No need to hand out more info than needed!
> # ServerTokens
> # This directive configures what you return as the Server HTTP response
> # Header. The default is 'Full' which sends information about the OS-Type
> # and compiled in modules.
> # Set to one of:  Full | OS | Minor | Minimal | Major | Prod
> # where Full conveys the most information, and Prod the least.
> Peter

More information about the websecurity mailing list