Preventing Banner Grabbing in Web Servers

After a lot of googling I found nothing significant...then a friend of mine Vaibhav actually helped me with his precious knowledge.
This is a quick reference for preventing Banner Grabbing:

For Apache Server:


Edit your httpd.conf file and make sure the following directives are present:

ServerSignature Off

ServerTokens Prod

Disabling the ServerSignature token instructs Apache to not print version information when an error page such as a “404-Not Found” is displayed. The ServerTokens directive, when set to Prod, instructs Apache to only display “Server: Apache” in the banner. If you do not want to display “Apache” in the Server tag but want to display fake in-formation such as “Server: Not-allowed,” you will need to

1. Download the Apache source code.

2. Edit the file httpd.h and change the value of the string “Apache” in the line

#define SERVER_BASEPRODUCT "Apache"

to something else:

#define SERVER_BASEPRODUCT "Not-allowed"

3. Recompile, reinstall, and restart Apache.

***************

A different approach for changing the name in a source file is to replace the ap_set_version( ) function, which is responsible for construction of the server name in the first place. For Apache 1, replace the existing function (in http_main.c) with one like the following, specifying whatever server name you wish:

Static void ap_set_version(void)

{

/* set the server name /

Ap_add_version_component(“Microsoft-IIS/6.0”);

/ do not allow other modules to add to it */

Version_locked++;

}

For Apache 2, replace the function ( defined in core.c):

Static void ap_set_version(apr_pool_t pconf)

{

/ set the server name /

ap_add_version_component (pconf, “Microsoft-IIS/6.0”);

/ do not allow other modules to add to it */

Version_locked++;

}

****************

Using third party module: mod_security

A different approach to changing the name of the serve is to use a thirde-party module, mod_security. For this approach to work, you must allow Apache to reveal its full identity, and then instruct mod_security to change the identity to something else. The following directives can be added to Apache configuration:

# Reveal full identity (standard Apache directive)

ServerTokens Full

# Replace the server name (mod_security directive)

SecServerSignature “Microsoft-IIS/6.0”

Apache modules are not allowed to change the name of the server completely, but mod_security works by finding where the name is kept in memory and overwriting the text directly. The ServerTokens directive must be set to Full to ensure the web server allocates a large enough space for the name, giving mod_security enough space to make its changes later.


Microsoft IIS4 and IIS5:

1. Stop the World Wide Web Publishing service, and then edit

%systemroot%/system32/inetstrv/w3svc.dll

2. You can use notepad to edit it, or get a free hex editor.

3. Change both instances of 'Microsoft IIS/4.0' or 'Microsoft IIS/5.0'

inside the file. Both instances are located almost next to each other.

4. Restart the World Wide Web Publishing service.

Here is the output to a GET / HTTP/1.0:

GET / HTTP/1.0

HTTP/1.1 200 OK

Server: web server>

Date: Sat, 07 Apr 2001 02:13:48 GMT

Connection: Keep-Alive

Content-Length: 1270

Content-Type: text/html

Set-Cookie: ASPSESSIONIDQQQQGVFK=MJMLILDDLINNBHMPJIBEJCGL; path=/

Cache-control: private






Comments

Chintan Dave said…
Dude.... You could have asked the library sitting besides you :D

I could have reduced hell a lot of your effort on googling :D
Anonymous said…
Thanks for the information Nilesh ..can you please provide the same for Jboss web server .
Manoj Kimni said…
How to solve banner grabbing problem n IIS 7

Popular posts from this blog

SQL Injection in search field

Nipper Download