tags:

views:

234

answers:

3
Q: 

Obfuscating server headers

Hi,

I have a WSGI application running in PythonPaste. I've noticed that the default 'Server' header leaks a fair amount of information ("Server: PasteWSGIServer/0.5 Python/2.6").

My knee jerk reaction is to change it...but I'm curious what others think.

Is there any utility in the server header, or benefit in removing it? Should I feel uncomfortable about giving away information on my infrastructure?

Thanks

+1  A: 

Well "Security through Obscurity" is never a best practice; your equipment should be able to maintain integrity against an attacker that has extensive knowledge of your setup (barring passwords, console access, etc). Can't really stop a DDOS or something similar, but you shouldn't have to worry about people finding out you OS version, etc.

Still, no need to give away information for free. Fudging the headers may discourage some attackers, and, in cases like this where you're running an application that may have a known exploit crop up, there are significant benefits in not advertising that you're running it.

I say change it. Internally, you shouldn't see much benefit in leaving it alone, and externally you have a chance of seeing benefits if you change it.

Satanicpuppy  2009-10-12 15:41:24
+1 Apache has the ServerTokens Prod setting http://httpd.apache.org/docs/1.3/mod/core.html#servertokens which does this.
dar  2009-10-12 15:45:55
"equipment should be able to maintain integrity" - very much correct. I met a challenger just a few years back, MS / CS candidate working on his Thesis. Darkside challenger, this person would not think of going on the internet except by slipping under his child's internet connection and showing up from an Albanian IP. In a moment of good humor he told me of obtaining the pw's for auto-security alarms. Knowing I was being slipped as I am an easy target, I took it all in. Later, a cleanside worker told me that is done with gamma noise emitters. Those parked cars could not use Obscurity ( !!! )
Nicholas Jordan  2009-10-20 06:39:12
+1  A: 

Given the requests I find in my log files (like requests for IIS-specific bugs in Apache logs, and I'm sure IIS server logs will show Apache-specific requests as well), there's many bots out there that don't care about any such header at all. I guess almost everything is brute force nowadays.

(And actually, as for example I've set up quite a few instances of Tomcat sitting behind IIS, I guess I would not take the headers into account either, if I were to try to hack my way into some server.)

And above all: when using free software I kind of find it appropriate to give the makers some credits in statistics.

Arjan  2009-10-12 15:46:53
A: 

Masking your version number is a very important security measure. You do not want to give the attacker any information about what software you are running. This security feature is available in the mod_security, the Open Source Web Application Firewall for Apache: http://www.modsecurity.org/

Add this line to your mod_security configuration file:

SecServerSignature "IIS/6.0"
Rook  2009-10-20 06:24:57

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security