Masking or anonymizing a Web server involves removing identifying
details that intruders could use to detect your OS and Web server vendor and
version. This information, while providing little or no utility to legitimate
users, is often the starting place for crackers, blackhat hackers and "script
kiddies". This article explores some ways you can minimize the risk of such
detection. Most of the following examples focus on Microsoft’s Internet
Information Server (IIS), since it has been most widely lambasted for its
vulnerabilities, but some Apache detection countermeasures are also covered.
While IIS users probably have the most vested interest here, server
anonymization is relevant to anyone responsible for administering a Web server.
Crackers Start Here. Shouldn’t You?
Let’s look at it from the
attacker's point of view: Security vulnerabilities tend to be dependent on
software vendor and version. Blind probing might lead to further requests being
denied or a system temporarily taken off line. Knowing Web server details
greatly increases the efficiency of any attack. If an attacker can target
exploits, the chances of successful cracking prior to detection increase
significantly. Script kiddies can leverage canned, newly-discovered exploits to
do more damage faster by targeting hosts with recognizable signatures. A
self-identifying system invites trouble.
Port80 Software has developed an
IIS server module called ServerMask to
combat the majority of issues explored here for the Windows Web
Server.
Protect your company from online threats with trusted
web security software.
The Server Header Tells All
Most Web servers politely
identify themselves and the OS to anyone who asks. Using a network query tool
like Sam Spade or this Header Check, you can
discern the HTTP Server header. Just request a Web site's home page and examine
the resulting HTTP headers or "banners" sent back by the server. Among them, you
will likely find something like this:
Server: Microsoft-IIS/5.0
There is not much mystery
here. Apache's default settings make it no less identifiable:
Server: Apache/2.0.41-dev (UNIX)
You can remove or obscure
this HTTP Server header in a variety of ways, depending on your platform. Apache
2.x users who have the mod_headers module loaded can use a simple directive in their
httpd.conf file, as follows:
Header set Server "New Server Name Goes Here"
Unfortunately, mod_headers
cannot alter the Server header in prior versions of Apache, so 1.3.x users will
have to resort to editing the defines in httpd.h and recompiling Apache to get the same
result. IIS users can install IISLockDown and use the configuration option in URLScan's INI file for removing or replacing the header. Be
careful with URLScan if you are using Cold Fusion application server -- the way
the current version replaces the Server header wreaks havoc with CFM pages. In
fact, removing the header is the way to go when using URLScan, since if you try
replacing the header it moves to the bottom of the header order -- which pretty
much gives away that you are running URLScan on IIS.
Start sending newsletters to your website users today!
