Tuesday, January 12, 2010

Securing your Apache 2 web server...

I have done a lot of server security testing and one of the most common mistakes I see in most web server implementation of customer's web server is:

1. The server banner of the web server displays the product and version number of the seb server application.

2. The web server has the debug command TRACE enabled by default in the production environment.

When you install Apache 2 in a Ubuntu box (may be similar for other Linux distros), the above two options are by default enabled.

The easiest way to remove TRACE and obfuscate the server banner version is to add the following commands into apache2.conf found in the /etc/apache2/ folder. They are:

ServerTokens ProductOnly
ServerSignature Off
TraceEnable Off

The commands are self explainatory and you really should google for them...