Mon, 28 Jun 2004
Apache Banners
Service banner grabbing is no longer the prominent issue it once was.
Todays fire and forget worms probe large IP ranges so quickly that they just try to brute
force compromise any servers they encounter and hope to get lucky
without checking the product name or version of the target.
While these are the most common attacks you will see on your Apache server its also worth noting that they are the easiest ones to defend against. The real problem are the attacks launched with an actual person paying attention to the results. In this entry we're going to look at minimizing the details they can get regarding your Apache server.
When you make a request to a webserver one of the headers in the response is the 'Server:' header, this contains details regarding the server that processed the request and can be a wealth of information, lets look at the value returned from a basic Apache server with some modules compiled in:
Apache/1.3.24 (Unix) Debian GNU/Linux mod_accounting/0.4 PHP/4.1.1 mod_ssl/2.8.7 OpenSSL/0.9.6g mod_perl/1.24
This output was gathered from one of my older test machines, to check the settings on your own server (or anyone else's if you must) you have two options, an easy and a hard one. The easy option requires you to have a Perl install with LWP, if you have this then you can just run a "HEAD servername | grep '^Server'", this will return the server header and associated details.
If you don't have a configured Perl install then you can check the details by hand, follow the step by step instructions, after you've finished typing press return twice, the headers will then be displayed.
telnet servername 80 HEAD / HTTP/1.0
Now we've seen how helpful the default Server header can be and how to check the current value lets bring this to a close and look at how to change the details returned. Apache (both the 1.3.* and 2.0.* series) have a directive called ServerTokens. This takes one of a number of possible options that control how verbose its output is.
The default value (used if no ServerTokens directive is present) and "ServerTokens Full" returns the long overly welcoming version string given above. There are a number of more restrictive steps leading down to the tight lipped "ServerTokens Prod" with returns 'Apache'.
If you want to read the official word on using the ServerTokens directive docs are available whether your a stalwart conservative using Apache 1.3.* or a dynamic pioneer betting the (server) farm on Apache 2.0.* It is worth noting that the 2.0.* ServerTokens supports one additional option, 'Major' which returns the string 'Apache/2'.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/06/28 23:20 | /security/apache | Permanent link to this entry | This entry + same date
Sat, 26 Jun 2004
Unixdaemon AccessKeys
The Unixdaemon site is undergoing
some design changes as and when i get time. Surprisingly its gone from
being a short set of links pointing to a few bits to code to something that
actually gets unique visitors every day; and its not just my mum! On the
left of the home page I've added a small set of navigation links and while
working through the CSS i
thought I'd try adding access keys.
First some basics, an accesskey works in the same way as the menu shortcuts in the native OS, you use a meta key (typically Alt on Windows and Ctrl on Macs) and press another key to access a function or menu. The code for setting this up is remarkably simple, to make a meta-h combination move you to the home page you'd use code like this in your page:
<a href="index.html" accesskey="h">Home</a>
This leads me to the problems, firstly not all browsers support them. This is the easiest to solve, wait long enough and everything in mainstream usage will accommodate them. Secondly there is the issue of precedence, your accesskeys may be overridden by the browser or OS. The reverse is also true, if you choose certain letters such as the 'h' presented above, you lose the ability to use shortcut keys to access browser functionality. In IE you'll no longer be able to use Alt-h to access the Help menu.
If you want to dig a little deeper into access keys these two links cover the basics and more advanced topics respectively.
Site Point's Using Accesskeys is Easy and for more advanced usage A List Apart has a good article called Accesskeys: Unlocking Hidden Navigation on using them with CSS.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/06/26 13:52 | /unixdaemon | Permanent link to this entry | This entry + same date
Tue, 22 Jun 2004
Two Book Reviews
A couple of my book reviews are now up on London PM's review section, the two
books are Coder to Developer and XForms Essentials.
The first, Coder to Developer by Mike Gunderloy, is a great book for less experienced software developers looking to become more professional. The second is an older but still valid book focusing on the XForms spec. Its a little dry and academic but if you need to understand the principles XForms Essentials isn't the worst option by a fair way.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/06/22 20:47 | /books | Permanent link to this entry | This entry + same date
Sun, 20 Jun 2004
BugMeNot.com
I stumbled across this site yesterday when looking for some FireFox
plugins and i have to admit i can see me getting a lot of use out of
it. The basic premise is pretty simple:
BugMeNot.com was created as a mechanism to quickly bypass the login of web sites that require compulsory registration and/or the collection of personal/demographic information (such as the New York Times).
The FireFox BugMeNot plugin provides nice and easy right click access to the site but while I'm at work i have to use IE so i decided to write my own version, imaginatively titled BugMeNot IE
Update: The people behind BugMeNot have included a link to my version of the plugin on the FAQ page. Very cool.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/06/20 14:06 | /sites | Permanent link to this entry | This entry + same date
Tue, 01 Jun 2004
Testing, Testing, one, two, three.
Is this thing on? With a little luck you'll be seeing a spiffy UnixDaemon
mosaic across the top of the screen and me blathering on underneath it. I
finally decided to stop just reading blogs and start writing my own. I'm
not sure how its going to go update-wise but i should be able to stretch to
a couple a week.
I'm using the quite excellent Blosxom
so expect the site to go through a lot of small changes while i get
everything just the way i like it.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/06/01 23:12 | /meta | Permanent link to this entry | This entry + same date
Copyright © 2000-2005 Dean Wilson
