The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache 2.2. security issue? Raw index shows system details.

Discussion in 'EasyApache' started by jols, Jan 22, 2008.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We just updated to Apache 2.2. and now the raw index listing shows all sorts of server details that we would rather not have displayed, example (see the bottom):

    -------------------------------
    Index of /wc/mov

    * Parent Directory
    * My cool movies/
    * My cool Menus/
    * _Go_To_Main_Menu.html

    Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.domainextra.com Port 80
    -------------------------------

    Any way to obscure these details?


    By the way, the customer says that he used to get a much nicer looking index page, e.g. with icons rather than bullets, so I guess my question is, is there any way to set parameters for this?
     
  2. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    They can be obscured in mod_security.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks. This is very good news, but how? Can you point me to a page or offer an example? This would be very much appreciated!
     
  4. jdlightsey

    jdlightsey Perl Developer III
    Staff Member

    Joined:
    Mar 6, 2007
    Messages:
    126
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston Texas
    cPanel Access Level:
    Root Administrator
    Change ServerSignature to Off in httpd.conf or add a line with "ServerTokens Min"

    Then run "/usr/local/cpanel/bin/apache_conf_distiller --update --main" to preserve the change and "/scripts/restartsrv_httpd" to restart Apache.
     
  5. bornonline

    bornonline Well-Known Member

    Joined:
    Nov 19, 2004
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    Great.. thanks for the info. I was just trying to figure this out.

    One thing..does
    /scripts/buildhttpdconf
    need to be run too?


     
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hey thanks! I should have geeked this one out myself. I had ServerSignature set to off before, but of course I recently upgraded to Apache 2.2. so this feature was set back on.

    However, I did not know about the apache_conf_distiller --update --main thing. So I guess this just locks the basic features in place? Without locking anything else out? Hmmmm, interesting.
     
Loading...

Share This Page