Server Version Disclosure in Apache

When we install or configure Apache web server in our operating system, it come up with this one vulnerability of server version Disclosure.


What is Server Version Disclosure?


First of all let us understand, what is this server version disclosure vulnerability. So, when we install web server in our operating system, it displays version of our web server along with the name of our operating system. This information is available in header fields and can be acquired using a web browser to make a simple HTTP request to any web application. It is often called the web server banner and is ignored by most people with the exception of malicious ones.


HTTP/1.1 200 OK
Date: Thu, 12 Jun 2014 14:15:01 GMT
Server: Apache/2.2.21 (Win32) PHP/5.4.7
Content-Length:226
Connection: close
Content-Type: text/html; charset=iso-8859-1

Attackers can perform banner grabbing using even simple TCP tools like telnet or netcat. Then they launch targeted attacks against your web server and version. In addition, if a particular web server version is known to be vulnerable to a specific exploit, the attacker would just need to use that exploit as part of their assault on the target web server.


Here, I will tell you to close this vulnerability with the following steps. It is easy to perform and has no impact on your web server.


There are two methods provided on internet which you can apply in your Apache web server but these two methods won't help you to hide Apache name from the server key in HTTP request.


1) ServerTokens Prod: This will configure Apache to not send any version numbers in the server response header so that the server line will be: Server: Apache. Prod is the value that provides the least information (product name only). If no ServerTokens directive is provided, it is equivalent to ServerTokens Full (with the result being, for example, Server: Apache/2.4.2 (Unix) PHP/4.2.2)


2) ServerSignature Off: This will ensure that Apache does not display the server version in the footer of server-generated pages. Note that this is the default setting.


The above solution would still not allow you to hide the fact that you are using Apache since the Server HTTP header will still say Apache.


Using Modsecurity we can achieve the result of hiding or change the Server HTPP header.


1) First of all, Download the mod_security tar file from the internet.

wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz

2) Now install below dependencies:

	For Ubuntu:
		apt-get install apache2-dev
		apt-get install liblua5.1-0-dev
		apt-get install libxml2-dev

	For CentOS:
		yum install httpd-devel
		yum install libxml2-devel
		yum install lua-static

3) Now untar the file that we have downloaded from the internet.

tar -xvf modsecurity-2.9.1.tar.gz

4) Now, Go to folder mod_secutrity-2.9.1 and run below command to configure it with correct apxs and apr path.

./configure --with-apxs='your apxs path' --with-apr='your apr path'

5) Run below commands in the same folder.

make
make install

6) Copy the mod_security2.so file from the below path(most probably, you will find it here) to modules folder of your Apache server

cp /usr/local/modsecurity/lib/mod_security2.so <'YourApacheServerModulePath'>

7) Uncomment below line in the http.conf file.

LoadModule security2_module modules/mod_security2.so

8) Go to the extracted folder where you untar your mod_security and copy below two files to your Apache conf folder

	cp unicode.mapping  'YourApacheServerConfFolderPath'
	cp modsecurity.conf-recommended 'YourApacheServerConfFolderPath'

9) Add below lines to add your mod_security in httpd.conf file

	<IfModule security2_module>
	#For Mod_security
	Include conf/mod_security.conf
	ServerTokens Full
	SecServerSignature " "
	</IfModule>

--- SecServerSignature " " --- is used to hide the Apache version for Server Version disclosure vulnerability. You can write anything you want in place of space in SecServerSignature.


10) The final result will amaze you.

HTTP/1.1 200 OK
Date: Thu, 12 Jun 2014 14:15:01 GMT
Server: 
Content-Length:226
Connection: close
Content-Type: text/html; charset=iso-8859-1

Conclusion

In the summary of this blog, we can hide server version of Apache Http Server with the help of mod_security and can prevent our server from various kind of threats.


29 views