Hiding version tokens?

[Crazy Pete]

How does one go about hiding the version tokens of various services running on a server, to deter anyone wishing to run an exploit against them. After all, they can't exploit something if they don't know what version it is, at least not without a lot of undue effort.

Somewhere I read how to remove the Apache version token from my server, which works as evidenced by http://www.netcraft.com. On mine it just says...

The site expectedmiracles.com is running Apache on Linux.

:D

What I wanted to do was something similar but with other services like exim, SQL, PHP, PureFTPd, BIND, cppop, etc. Anyone know how to accomplish this without breaking things?

cPanel.net Support Ticket Number:

 

[FWC]

Add:

ServerTokens ProductOnly

to httpd.conf.

 

[Crazy Pete]

Ok I have that already, what I was saying was how can I do something similar for other services? For example, on dnsreport.com I can run my domain, and several others. On my domain it lists BIND version as 9.2, whereas on several other sites it lists BIND version as "You nosy bastard."

Where/how can I change these version tokens?

cPanel.net Support Ticket Number:

 

[Domenico]

Ok I have that already, what I was saying was how can I do something similar for other services? For example, on dnsreport.com I can run my domain, and several others. On my domain it lists BIND version as 9.2, whereas on several other sites it lists BIND version as "You nosy bastard."

Where/how can I change these version tokens?

cPanel.net Support Ticket Number:

1) pico -w /etc/named.conf

2) add this line:
version "like whatever";
after:
query-source address * port 53;

3) Save the changes
Ctrl+x then y

4) Restart your BIND service.
service named restart or /etc/init.d/named restart

5) Check your bind version
dig ns1.yourserver.com

 

[SarcNBit]

Here is a snippet from http://eth0.us/faq/secure.htm:

--------------------------

Version numbers can be used by various software scanners to determine if your server is vulnerable. Though you should have the latest versions of everything security though obsecurity is one method that can be employed to help secure your server.

First we are going to hide the version information in apache.

#pico /etc/httpd/conf/httpd.conf
Press control + w to search for "ServerSignature"
It should say On, change it to Off
This will remove the identification of apache from error pages

Right below that add a line that has the following:
"ServerTokens Prod"
This will identify apache simply as "apache" with no version numbers or OS information

Save out of the file and restart apache
#service httpd restart



Next we will disable named from giving a version.
#pico /etc/named.conf
Search for "query-source address * port 53;"
Add a line right below it with
version "Named";
Save and restart named

Next we will disable the exim version
#pico /etc/exim.conf
Search for " smtp_banner = "${primary_hostname"
This is the welcome banner for the email server, anything can be set here. To quickly replace it just do something like the following

smtp_banner = "${primary_hostname} MailServer \n\
We do not authorize the use of this system to transport unsolicited, \n\
and/or bulk e-mail."

Then save out and restart exim.
#service exim restart


Remeber this is just security though obsecurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place. It will not help at all if somebody is trying to actually hack the server.


--------------------------