Friday, 22 March 2013

Note to self - limiting the amount of information that IBM HTTP Server returns

I'm thinking about security, as should we all.

By default, IBM HTTP Server ( and, I guess, anything based upon Apache HTTPD ), automatically returns it's version: -

in the HTTP response header ( as evidenced here using Firebug ).

This can be disabled by changing: -

ServerSignature On

to: -

ServerSignature Off

in httpd.conf ( requiring IHS to be restarted ). This works alongside the related directive: -

ServerTokens Prod

However, I still see the same: -

The trick appears to be also add: -

AddServerHeader Off

to http.conf.

The first two directives are more fully explained in the Apache documentation: -

The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, ...). The reason why you would want to enable such a footer line is that in a chain of proxies, the user often has no possibility to tell which of the chained servers actually produced a returned error message.

The Off setting, which is the default, suppresses the footer line (and is therefore compatible with the behavior of Apache-1.2 and below). The On setting simply adds a line with the server version number and ServerName of the serving virtual host, and the EMail setting additionally creates a "mailto:" reference to the ServerAdmin of the referenced document.

After version 2.0.44, the details of the server version number presented are controlled by the ServerTokens directive.

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

but the third directive - AddServerHeader - is a new feature, only found in IBM HTTP Server 7.0 and above: -

The Server response-header field contains information about the software used by the origin server to handle the request, sometimes including information about specific modules that are loaded. Some security policies may dictate that such identifying information be removed from all network daemons.

Setting AddServerHeader to off prevents IBM HTTP Server from adding the Server header to outgoing responses.

The value of the outgoing Server header can be logged by adding the string %{Server}o to whichever LogFormat is referenced by your CustomLog directives.

So, in summary, this is what I now have: -

AddServerHeader Off
ServerTokens Prod
ServerSignature Off

with the following result: -

PS I'm using Firebug to get details of the HTTP headers - other equally sweet plugins are available.

For the record, using base Apache 2.2.15 ( as shipped with Red Hat Enterprise Linux 6.3 ), this is what we see by default: -

because we have the default settings of: -

ServerTokens OS
ServerSignature On

in /etc/httpd/conf/httpd.conf.

If we change this to: -

ServerTokens Prod
ServerSignature Off

we only see: -

Sadly, if we try adding: -

AddServerHeader Off

we see: -

Invalid command 'AddServerHeader', perhaps misspelled or defined by a module not included in the server configuration

when starting Apache :-)

See, I did say that it was an IBM addition ...

No comments: