As you may or may not know, by default, your server details are public and anyone with some basic knowledge can easily see them.
For example, let's consider this http://1mum.geek-tools.org. If you check its HTTP headeryou'll see this info:
HTTP/1.1 200 OK
Date: Mon, 08 Jun 2009 16:44:51 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
X-Pingback: http://1mum.geek-tools.org/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
If you use apache web server and if you want to turn this off just edit your Apache VirtualHost definition and add this line:
ServerSignature Off
More info about this can be found here in http://httpd.apache.org/docs/1.3/mod/core.html#serversignature
In order for the changes to be activated you'll have to restart your web server.
Now that you made this change here's the question: will turning off your web server headers be of any help? :-)
The quick answer is yes and no.
Yes: if you sell webhosting it may look better/more secure to your potential customers. It could also save you some SPAM/attacks as some of these malware loving guys use automated tools that read this info
No: most of the attacking tools won't care about the header details as they'll brute force your server anyway.
Besides that, one with a bit more networking knowledge can not only have a fairly good guess of what your OS is but also figure out details like your server's uptime!
The bottom line: if its easy for you to edit your webserver configuration to hide your server's details do it, if not it won't matter much anyway.
No comments:
Post a Comment