TWed2k - Linux交流 - [轉貼]如何不讓 apache 洩漏你 server 的資訊?

主題: [轉貼]如何不讓 apache 洩漏你 server 的資訊? [打印本頁]

發表人: swchen 時間: 2005-11-23 10:53 AM 主題: [轉貼]如何不讓 apache 洩漏你 server 的資訊?

1. 在 httpd.conf 任意位置加入一行
代碼:
ServerTokens Prod

註：ServerTokens 的參數有 Min[imal], OS, Prod[uctOnly], Full 四種

2. 重新啟動 apache 就可以了

以下是在 httpd.conf 中的設定值，及 Apache 在 header 的回應

ServerTokens Full
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b PHP/4.1.2

ServerTokens OS
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)

ServerTokens Min
Server: Apache/1.3.27

ServerTokens Prod
Server: Apache

所以設定成 ServerTokens Prod 應該是比較好的選擇

參考
http://www.apacheref.com/ref/http_core/ServerTokens.html

Apache Reference: http_core, ServerTokens

ServerTokens
Control Tokens Displayed in HTTP Server Header Field
Syntax: ServerTokens A
Example: ServerTokens min
Since: Apache 1.3

This directive controls whether the HTTP Server response header field, which is sent back to clients, includes a description of the generic operating system type of the server (if type is ``os'') as well as information about compiled-in modules (if type is ``full''). With a type of ``min'', only the server version is included. This setting applies to the entire server, and it cannot be enabled or disabled on a per- virtual-host basis.

建議再加上 ServerSignature Email
或 ServerSignature Off

＊ServerSignature On
用法：ServerSignature 選項
(可用的選項有︰On，Off 以及 Email)

ServerSignature 指令用來選擇，當 Apache/2 遇到如錯誤訊息等情形而產生一份
告知使用者目前情形的網頁時，是否要附加上一些提示使用者的資訊。
如果設定為 "Off"，就是除了內定告知使用者的資訊以外，不再附加其他資訊。
如果設定為 "On"，則表示在該網頁加上 ServerName 指令所指定的伺服器名稱；
如果設定為 "Email"，則在該告知網頁上，附加 ServerAdmin 後面所指定的電子郵件位址。

如果有使用 php 的話
建議再修改 php.ini
改 expose_php (預設是 On)
expose_php = Off

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
;expose_php = On

發表人: Vic 時間: 2005-11-24 03:50 PM

呵呵~ 我知道有些apache server 故意將自己ServerTokens 改成 IIS

發表人: innova 時間: 2006-2-5 01:46 PM

sendmail 有辦法如法泡製嗎？

引用:

# telnet 210.22.188.87 25
Trying 210.22.188.87...
Connected to quantacn.com (210.22.188.87).
Escape character is '^]'.
220 ironport-c30.QUANTACN.com ESMTP
help
214-The following commands are recognized
214- auth data ehlo helo
214- help mail noop quit
214 rcpt rset vrfy
quit
221 ironport-c30.QUANTACN.com
Connection closed by foreign host.

# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.myhost.com.tw ESMTP Sendmail 8.13.4/8.13.4; Sun, 5 Feb 2006 12:08:50 +0800
Connection closed by foreign host.

歡迎光臨 TWed2k (http://twed2k.org/)