Apache 2.2. security issue? Raw index shows system details.

[jols]

We just updated to Apache 2.2. and now the raw index listing shows all sorts of server details that we would rather not have displayed, example (see the bottom):

-------------------------------
Index of /wc/mov

* Parent Directory
* My cool movies/
* My cool Menus/
* _Go_To_Main_Menu.html

Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.domainextra.com Port 80
-------------------------------

Any way to obscure these details?


By the way, the customer says that he used to get a much nicer looking index page, e.g. with icons rather than bullets, so I guess my question is, is there any way to set parameters for this?

[Serra]

They can be obscured in mod_security.

[jols]

They can be obscured in mod_security.

Thanks. This is very good news, but how? Can you point me to a page or offer an example? This would be very much appreciated!

[jdlightsey]

Change ServerSignature to Off in httpd.conf or add a line with "ServerTokens Min"

Then run "/usr/local/cpanel/bin/apache_conf_distiller --update --main" to preserve the change and "/scripts/restartsrv_httpd" to restart Apache.

[bornonline]

Great.. thanks for the info. I was just trying to figure this out.

One thing..does
/scripts/buildhttpdconf
need to be run too?

Change ServerSignature to Off in httpd.conf or add a line with "ServerTokens Min"

Then run "/usr/local/cpanel/bin/apache_conf_distiller --update --main" to preserve the change and "/scripts/restartsrv_httpd" to restart Apache.

[jols]

Change ServerSignature to Off in httpd.conf or add a line with "ServerTokens Min"

Then run "/usr/local/cpanel/bin/apache_conf_distiller --update --main" to preserve the change and "/scripts/restartsrv_httpd" to restart Apache.

Hey thanks! I should have geeked this one out myself. I had ServerSignature set to off before, but of course I recently upgraded to Apache 2.2. so this feature was set back on.

However, I did not know about the apache_conf_distiller --update --main thing. So I guess this just locks the basic features in place? Without locking anything else out? Hmmmm, interesting.