Security
While scanning our website using https://www.securitymetrics.com/, I came across the following issues:
ServerName
The following
telnet
session detected our load balancer:patrick@noname:~$ telnet www.myserver.com 80 Trying 89.119.229.49... Connected to www.myserver.com. Escape character is '^]'. GET /images HTTP/1.0 HTTP/1.1 302 FOUND Date: Thu, 27 May 2010 08:10:23 GMT Server: Apache Vary: Cookie Location: http://web3.myserver.com/images/ Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8 Connection closed by foreign host.
The redirection to a different URL returns the
Location
header which gives the actual URL of the content.The
Location
header has a different server name to the original request confirming the existence of a load balancer.The
Location
header returns theServerName
from the Apache configuration file.To stop this vulnerability, set the Apache
ServerName
to the site name and add aServerAlias
with the actual name of the server e.g:ServerName www.myserver.com ServerAlias web1.myserver.com
Note: This vulnerability was difficult to detect. The HTTP response only contains the
Location
header on a redirect. The browser did an automatic redirect, so we couldn’t see the header in FireBug. Thiscurl
session shows the problem:
patrick@noname:~$ curl www.myserver.com/images --head
HTTP/1.1 302 FOUND
Date: Thu, 27 May 2010 08:26:45 GMT
Server: Apache
Vary: Cookie
Location: http://web3.myserver.com/images/
Connection: close
Content-Type: text/html; charset=utf-8
patrick@noname:~$ curl www.myserver.com/images/ --head
HTTP/1.1 404 NOT FOUND
Date: Thu, 27 May 2010 08:27:36 GMT
Server: Apache
Vary: Cookie
Content-Length: 5539
Connection: close
Content-Type: text/html; charset=utf-8
ServerTokens Directive
Module Documentation - ServerTokens Directive
Changing the ‘ServerTokens
’ directive in the Apache configuration to
resemble the following:
ServerTokens Prod
You can set this directive by editing the /etc/httpd/conf/httpd.conf
file.
The ServerTokens
directive will hide the web server information.
mod_status
Very useful ticket conversation with a Rackspace person…
../../misc/howto/apache/http/rackspace.txt