views:

234

answers:

3

Hi,

I have a WSGI application running in PythonPaste. I've noticed that the default 'Server' header leaks a fair amount of information ("Server: PasteWSGIServer/0.5 Python/2.6").

My knee jerk reaction is to change it...but I'm curious what others think.

Is there any utility in the server header, or benefit in removing it? Should I feel uncomfortable about giving away information on my infrastructure?

Thanks

+1  A: 

Well "Security through Obscurity" is never a best practice; your equipment should be able to maintain integrity against an attacker that has extensive knowledge of your setup (barring passwords, console access, etc). Can't really stop a DDOS or something similar, but you shouldn't have to worry about people finding out you OS version, etc.

Still, no need to give away information for free. Fudging the headers may discourage some attackers, and, in cases like this where you're running an application that may have a known exploit crop up, there are significant benefits in not advertising that you're running it.

I say change it. Internally, you shouldn't see much benefit in leaving it alone, and externally you have a chance of seeing benefits if you change it.

Satanicpuppy
+1 Apache has the ServerTokens Prod setting http://httpd.apache.org/docs/1.3/mod/core.html#servertokens which does this.
dar
"equipment should be able to maintain integrity" - very much correct. I met a challenger just a few years back, MS / CS candidate working on his Thesis. Darkside challenger, this person would not think of going on the internet except by slipping under his child's internet connection and showing up from an Albanian IP. In a moment of good humor he told me of obtaining the pw's for auto-security alarms. Knowing I was being slipped as I am an easy target, I took it all in. Later, a cleanside worker told me that is done with gamma noise emitters. Those parked cars could not use Obscurity ( !!! )
Nicholas Jordan
+1  A: 

Given the requests I find in my log files (like requests for IIS-specific bugs in Apache logs, and I'm sure IIS server logs will show Apache-specific requests as well), there's many bots out there that don't care about any such header at all. I guess almost everything is brute force nowadays.

(And actually, as for example I've set up quite a few instances of Tomcat sitting behind IIS, I guess I would not take the headers into account either, if I were to try to hack my way into some server.)

And above all: when using free software I kind of find it appropriate to give the makers some credits in statistics.

Arjan
A: 

Masking your version number is a very important security measure. You do not want to give the attacker any information about what software you are running. This security feature is available in the mod_security, the Open Source Web Application Firewall for Apache: http://www.modsecurity.org/

Add this line to your mod_security configuration file:

SecServerSignature "IIS/6.0"
Rook