Prevent Webserver Information Leakage

Obtaining information about the used webserver is a crucial task for any attacker. There may be vulnerabilities in a certain web server version that allow an attacker easy access to the server. Learn, how you can prevent them!

Security Assessment

Security_Assessment_ PreventWebserverInformationLeakage

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Vulnerability Information

Obtaining information about the used webserver is a crucial task for any attacker. There may be vulnerabilities in a certain webserver version that allow an attacker easy access to the server. To complicate the information gathering process for attackers, the webserver should not provide information about itself such as his name or version.

This scanner addresses the OWASP Top 10 vulnerability of "Using components with known vulnerabilities". While it is crucial to make sure you use the latest version of your webserver, it is an added layer of security if you can prevent attackers from knowing which webserver - and which version you are running.

Guides

Use one of the following guides to disable information leakage for your webserver:

  • Apache
  • Apache 2.2
  • nginx

Apache

To disable the server signature which usually contains the name and version for an Apache webserver, do the following:

Open the Apache configuration file on your system. This file is usually located at:

  • /etc/apache2/apache2.conf (Debian, Mint, Ubuntu) 
  • /etc/httpd/conf/httpd.conf (Arch, Fedora, CentOS, RHEL).

Depending on the server configuration, there might also be additional configuration files which take care of security configuration such as /etc/apache2/conf-enabled/security.conf.

Apply the following settings:

preventwebserver

https://github.com/crashtest-security/gist/blob/master/fingerprinting/apache_settings

Then reload the webserver configuration:

preventwebserver (1)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/apache_configuration

Apache 2.2

In addition to the server signature, Apache version 2.2 has another feature that can leak its version. There is a header image for the standard installation which contains the version information. The problematic image(s) are usually located in/usr/share/apache2/icons/. They are linked to be publicly available as/iconsby an alias configuration. To stop them from being delivered, edit the configuration file/etc/apache2/mods-available/alias.confand remove the following lines:

preventwebserver (2)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/apache2.2_settings

nginx

To disable the version string which is usually sent by nginx update the configuration file which is usually located at /etc/nginx/nginx.conf and add to the html section:

preventwebserver (3)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/nginx_html_settings

To also disable that the server name is sent, you need the HttpHeadersMoreModule. Run the following command(s) for installation:

preventwebserver (4)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/nginx_server_name_disable

For other systems (such as CentOS or RHEL), you need to compile the package from the sources as described in the installation notes.

Then also add the following line to the config file within the html section and chose a server name of your liking:

preventwebserver (5)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/nginx_new_server_name

For more information about Crashtest Security visit https://crashtest-security.com/.