[WEB SECURITY] Securing apache installation with PHP

Rochford, Paul paul.rochford at hp.com
Thu May 19 12:01:52 EDT 2005


The PDF that comes with the Apache Benchmark from www.cisecurity.org has
tons of info on obfuscating Apache banners and responses by modifying
the httpd.h file, using different header set types for Emulation etc and
others.


Kind Regards,
Paul Rochford 

-----Original Message-----
From: Ryan Barnett [mailto:rcbarnett at gmail.com] 
Sent: Thursday, May 19, 2005 4:15 PM
To: Peter Motykowski
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Securing apache installation with PHP

I wanted to give everyone a quick teaser on some Apache obfuscation
info.  

<Warning: PR Info>
I am currently writing a book for Prentice-Hall/Addison-Wesley
tentatively entitled "Web Intrusion Detection and Prevention with
Apache".  In it, I discuss a little known (at least by me and anyone
else I had presented this idea to) technique of altering not only the
Server banner token info but also any of the other outbound headers.

Here is a small excerpt from my chapter -

********************************************
Banner Obfuscation with Apache's Output Filtering If you are not using
Mod_Security, which by this point I cannot think of a reason why you
wouldn't be using it, you can still accomplish this same task using the
Apache 2.0 Output Filters.  We briefly discussed using the output
filtering in chapter 8 when we needed to fix some of the Buggy Bank
login html data returned to the client.  In this case, however, we need
to alter the Server token of the HTTP Response Header instead of the
html output.  This can be accomplished by the following output filter
directives -

ExtFilterDefine fixbanner mode=output ftype=30 \ cmd="/bin/sed
s|Apache.*$|Netscape-Enterprise/4\.1|g"

SetOutputFilter fixbanner

The first line defines our new filter is called, appropriately enough,
"fixbanner."  Two important pieces of information to note with this
ExtFilterDefine directive -

1.  We are using "ftype=30" to tell Apache which filter hook to use. 
Here is a section of text from the Apache util_filter.h header file
describing the AP_FTYPE_PROTOCOL type 30 -

/** These filters are used to handle the protocol between server * and
client.  Examples are HTTP and POP. */    AP_FTYPE_PROTOCOL     = 30,

2.  We are using the "sed" command to substitute the Apache banner
information with our new data - Netscape-Enterprise/4.1.  In order for
the sed command to work properly with Apache, we need to use an
alternate substitution delimiter.  Normally, the forward slash character
is used, however we are using the forward slash in our substitution text
(/4.1) and the sed command was not working properly until I changed the
delimiter.

********************************************
</Warning: PR Info>

This is just one example of levaraging Apache 2.0's Output Filtering
capabilities.  Get creative as I am sure that others will be able to
come up with other fun security uses for Output filtering :)

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member SANS Instructor:
Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC

On 5/19/05, Peter Motykowski <pmotykowski at suncorp.coop> wrote:
> My favorite obscurity layer of security in Apache is modifying the
"ServerTokens" option.  The default setting dumps unnecessary version
information into the server signature and looks something like this:
> 
> Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7a PHP/5.0.4 
> mod_jk/1.2.10 Server at domain.com Port 80
> 
> Change the setting to "ServerTokens Prod" and you get this:
> Apache Server at domain.com Port 80
> 
> No need to hand out more info than needed!
> 
> # ServerTokens
> # This directive configures what you return as the Server HTTP 
> response # Header. The default is 'Full' which sends information about

> the OS-Type # and compiled in modules.
> # Set to one of:  Full | OS | Minor | Minimal | Major | Prod # where 
> Full conveys the most information, and Prod the least.
> 
> Peter

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list