Hi Brad,<br><br>I also found references to these directives and have already implemented.<br><br>Thanks anyway.<br><br>If you remember anything else to stealth Apache.<br><br>Regards,<br><br>Joao<br><br><br><div class="gmail_quote">
On Fri, Dec 9, 2011 at 5:47 PM, Brad Beckenhauer <span dir="ltr"><<a href="mailto:bbecken@aafp.org">bbecken@aafp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="MARGIN:4px 4px 1px;FONT:10pt Segoe UI">
<div>Since we're on the subject of security.</div>
<div>Consider changing the below Apache configurations:</div>
<div> </div>
<div>
<div>ServerSignature On to ServerSignature Off</div></div>
<div>ServerTokens OS to ServerTokens Prod ( or just remark it out to disable it).</div>
<div> </div>
<div>( Blatant web scape below).</div>
<div>The first line “ServerSignature Off” instructs Apache not to display a trailing footer line under server-generated <a style="FONT-FAMILY:inherit!important;TEXT-DECORATION:underline!important" href="http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#" target="_blank"><font style="FONT-FAMILY:inherit!important;COLOR:#1fa2e1!important" color="#1fa2e1"><span style="BORDER-BOTTOM:rgb(31,162,225) 1px solid;BACKGROUND-COLOR:transparent;FONT-FAMILY:inherit!important;COLOR:rgb(31,162,225)!important">documents</span></font></a> (error messages, mod_proxy ftp directory listings, mod_info output, and etc) which displays server version number, ServerName of the serving <a style="FONT-FAMILY:inherit!important;TEXT-DECORATION:underline!important" href="http://www.mydigitallife.info/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/#" target="_blank"><font style="FONT-FAMILY:inherit!important;COLOR:#1fa2e1!important" color="#1fa2e1"><span style="BORDER-BOTTOM:rgb(31,162,225) 1px solid;BACKGROUND-COLOR:transparent;FONT-FAMILY:inherit!important;COLOR:rgb(31,162,225)!important">virtual </span><span style="BORDER-BOTTOM:rgb(31,162,225) 1px solid;BACKGROUND-COLOR:transparent;FONT-FAMILY:inherit!important;COLOR:rgb(31,162,225)!important">host</span></font></a>, email setting, and creates a “mailto:” reference to the ServerAdmin of the referenced document.</div>
<div>
<p>The second line “ServerTokens Prod” configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.</p></div>
<div><br>>>> On 12/9/2011 at 5:00 AM, Jules <<a href="mailto:Jules@zend.to" target="_blank">Jules@zend.to</a>> wrote:<br></div>
<table style="MARGIN:0px 0px 0px 15px;FONT-SIZE:1em" bgcolor="#f3f3f3" border="0">
<tbody>
<tr>
<td>
<div style="BORDER-LEFT:#050505 1px solid;PADDING-LEFT:7px"><br><br>On 09/12/2011 10:42, Joao Alexandre wrote:<br>> Hi Jules,<br>><br>> All of our internet facing structure was evaluated/scanned for<br>> security problems and regarding ZendTo they found two issues. They<br>
> don't seem to be related itself with ZendTo but maybe you can help us<br>> resolve or lead us to the solution:<br>><br>> 1.<br>> Vulnerability details -<br>> Script ID 201167<br>> Name Directory Browsing<br>
> Port 443/TCP - http<br>> Risk factor Medium risk<br>> CVSS Score 5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)<br>> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)<br>> Family http<br>> Product HTTP<br>> Description This service lists the contents of various directories.<br>
> Information Browsable directories:<br>> Location<br>> /js/<br>> /images/<br>> /icons/<br>> /css/<br>> Solution Disable directory browsing<br>> History First seen : 2011-12-09 08:02 - New finding<br>
This one you can fix in your Apache configuration. Look for a line <br>saying something like<br> Options All Indexes FollowSymLinks MultiViews<br>and remove the word "Indexes" from it. (Basically just search all the <br>
Apache configuration files you can find for the word "Indexes" and <br>remove it!)<br>Then restart Apache.<br>I have just applied this fix to the VMs I distribute.<br>><br>> 2.<br>> Script ID 236788<br>
> Name SSL/TLS Cipher Suite Detect MD5<br>> Port 443/TCP - http<br>> Risk factor Medium risk<br>> CVSS Score 5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N)<br>> (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)<br>> Family ssl<br>
> Product SSL<br>> Description The MD5 Message-Digest Algorithm is not collision<br>> resistant, which makes it easier for context-<br>> dependent attackers to conduct spoofing attacks, as demonstrated by<br>
> attacks on the use of MD5 in the<br>> signature algorithm of an X.509 certificate.<br>> Information SSLv3 Cipher Suite OpenSSL Cipher<br>> Name<br>> Algorithm Bits Bits Used Cipher Strength<br>> RSA_WITH_RC4_1<br>
> 28_MD5<br>> RC4-MD5 128 128 medium<br>> TLSv1 Cipher Suite OpenSSL Cipher<br>> Name<br>> Algorithm Bits Bits Used Cipher Strength<br>> RSA_WITH_RC4_1<br>> 28_MD5<br>> RC4-MD5 128 128 medium<br>> Solution Reconfigure the service to disallow the listed cipher suites<br>
> Reference url - <a href="http://www.kb.cert.org/vuls/id/836068CVE" target="_blank">http://www.kb.cert.org/vuls/id/836068CVE</a> CVE-2004-2761<br>> History First seen : 2011-12-09 08:02 - New finding<br>This is related to your https SSL certificate, and the encryption method <br>
it uses. Most certificate providers are switching away from MD5 to SHA-1 <br>so hopefully the next time you renew your certificate this problem <br>should disappear.<br><br>Jules<br><br>-- <br>Julian Field MEng CITP CEng<br>
<a href="http://www.Zend.To" target="_blank">www.Zend.To</a><br><br>Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a><br>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
<br>'It's okay to live without all the answers' - Charlie Eppes, 2011<br>'All programs have a desire to be useful' - Tron, 1982<br>'That is the land of lost content,<br> I see it shining plain,<br>
The happy highways where I went,<br> And cannot come again.' - A.E. Houseman<br><br>_______________________________________________<br>ZendTo mailing list<br><a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a><br>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br></div></td></tr></tbody></table></div>
<br>_______________________________________________<br>
ZendTo mailing list<br>
<a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br></blockquote></div><br>