HPE Community
Operating System - HP-UX
1825160 Members
2346 Online
109679 Solutions
New Discussion юеВ

remove server banner in HTTP header

 
Fauziah Mahdan
Super Advisor

тАО01-22-2007 02:27 PM

тАО01-22-2007 02:27 PM

remove server banner in HTTP header

HI all,
My app server under hpux 11.00 server.
We test our website using HTTP viewer the web server banner for some server information was diclose to public.

Where and how to remove the server banner in the HTTP header for this server configuration file?


Thanks
Fauziah Mahdan
0 Kudos
Reply
12 REPLIES 12
Denver Osborn
Honored Contributor

тАО01-22-2007 02:52 PM

тАО01-22-2007 02:52 PM

Re: remove server banner in HTTP header

Is this for an apache web server" If so, the ServerTokens directive can be set to display less information about your webserver. Default is "full", "prod" only shows the product "Apache".

See http://httpd.apache.org/docs/2.0/mod/core.html#servertokens for details.

After making the change to httpd.conf, sighup or restart apache.

If you want to completely remove or mask ServerTokens, you'll want to modify the source code then recompile apache.

-denver
0 Kudos
Reply
Heironimus
Honored Contributor

тАО01-23-2007 02:19 AM

тАО01-23-2007 02:19 AM

Re: remove server banner in HTTP header

It wouldn't be necessary to recompile all of Apache even to mask out "Apache" from the headers. Depending on the version of Apache, you may be able to use the included mod_headers to overwrite the Server header, or you could use a third-party module like mod_security that provides that functionality.
0 Kudos
Reply
Fauziah Mahdan
Super Advisor

тАО01-25-2007 08:01 PM

тАО01-25-2007 08:01 PM

Re: remove server banner in HTTP header

The Apache version is 1.3.12.

I already check the httpd.conf.
not sure which part to remove
0 Kudos
Reply
spex
Honored Contributor

тАО01-25-2007 11:26 PM

тАО01-25-2007 11:26 PM

Re: remove server banner in HTTP header

Hi Fauziah,

"ServerTokens Full" is the default directive if none is specified. If you don't see "ServerTokens ..." in httpd.conf, simply add "ServerTokens Prod" and restart Apache:

# /opt/hpws/apache/bin/apachectl stop
# /opt/hpws/apache/bin/apachectl start

This will shorten the HTTP response header from "Apache/1.3.12 (Unix) ..." to "Apache".

PCS
0 Kudos
Reply
Fauziah Mahdan
Super Advisor

тАО02-07-2007 05:47 PM

тАО02-07-2007 05:47 PM

Re: remove server banner in HTTP header

Whata bout if I want tottaly remove the server banner?
What is the comamnd?


Thanks
Fauziah Mahdan
0 Kudos
Reply
Kasper Hedensted
Trusted Contributor

тАО02-07-2007 07:08 PM

тАО02-07-2007 07:08 PM

Re: remove server banner in HTTP header

It is not that easy to remove the banner completely.

But here are some suggestions:

You can use hexedit to edit the httpd file direct and remove the Apache string.

Or you can edit the Apache source "include/ap_release.h" and recompile it.
0 Kudos
Reply
Ralph Grothe
Honored Contributor

тАО02-07-2007 07:57 PM

тАО02-07-2007 07:57 PM

Re: remove server banner in HTTP header

Here's another option.
You could use Ivan Ristic's mod_security.
This module offers a SecServerSignature
directive (filter) that you could set to any
string that should be sent in the HTTP header of a server response.
Please, lookup SecServerSignature here:

http://www.modsecurity.org/documentation/modsecurity-apache/2.0.2/modsecurity2-apache-reference.html#N102F3

But mod_sec should be used for more compelling reason on any Apache that serves to the WWW.
It actually can be thought of as an HTTP firewall, similar to but far more flexible than an HTTP proxy.
You can setup any sort of filter rule against all sorts of attacks (which are originating mostly from unaware owners' zombie PCs).


Madness, thy name is system administration
0 Kudos
Reply
Fauziah Mahdan
Super Advisor

тАО02-07-2007 09:36 PM

тАО02-07-2007 09:36 PM

Re: remove server banner in HTTP header

Apache source = httpd.conf is it? by adding the command you mentioned.


0 Kudos
Reply
Kasper Hedensted
Trusted Contributor

тАО02-07-2007 10:52 PM

тАО02-07-2007 10:52 PM

Re: remove server banner in HTTP header

No, it is the source code for Apache I am referring to.

( can be downloaded from http://httpd.apache.org/ )

The other suggestion involves downloading hexedit http://hpux.cs.utah.edu/hppd/hpux/Development/Tools/hexedit-1.2.10/ and edit the httpd file
0 Kudos
Reply
Fauziah Mahdan
Super Advisor

тАО02-08-2007 12:19 PM

тАО02-08-2007 12:19 PM

Re: remove server banner in HTTP header

Hi,
Yes actually we are using ApacheJserv version 1.3.12. I am lost now which file I should amend or change the setting?
0 Kudos
Reply
Fauziah Mahdan
Super Advisor

тАО02-08-2007 12:30 PM

тАО02-08-2007 12:30 PM

Re: remove server banner in HTTP header

Spex,
you mention to add "ServerTokens Prod" and restart Apache:
then the server info will remain Apache without the version. What about if I want to remove all the server info.

Right now it was display as
HTTP/1.1 200 OK
Date: date today
Server: Apache/1.3.12 (unix) ApacheJserv/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a
Last Modified:date
Etag:code will display
Accept-Ranges:bytes
Content-Length:300
Connection:close
Content-Type:text/html
0 Kudos
Reply
Fauziah Mahdan
Super Advisor

тАО02-08-2007 04:46 PM

тАО02-08-2007 04:46 PM

Re: remove server banner in HTTP header

HI,
I have checked that my httpd.cong already set as
ServerSignature Off
ServerTokens Prod


but why the server info still display in details?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.