Bug#843014: Apache2: ServerTokens Minimal

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#843014: Apache2: ServerTokens Minimal

Heinrich Schuchardt-2
Package: apache2
Version: 2.4.23-5
Severity: wishlist

Dear maintainer,

/etc/apache2/conf-available/security.conf currently defaults to
ServerTokens OS

This results in a header like:
Server: Apache/2.4.10 (Debian)

Sending the Apache and OS version is a waste of bandwidth.
Unfortunately Apache does not allow to completely suppress this
superfluous header.

Furthermore the current setting exposes valuable information to a
possible intruder:
Why should any HTTP client care which OS my server is using?

Please, change the default to
ServerTokens Minimal

Best regards

Heinrich Schuchardt

Reply | Threaded
Open this post in threaded view
|

Bug#843014: Apache2: ServerTokens Minimal

Stefan Fritsch
tags 843014 wontfix
thanks

On Thursday, 3 November 2016 07:42:39 CET Heinrich Schuchardt wrote:

> This results in a header like:
> Server: Apache/2.4.10 (Debian)
>
> Sending the Apache and OS version is a waste of bandwidth.
> Unfortunately Apache does not allow to completely suppress this
> superfluous header.
>
> Furthermore the current setting exposes valuable information to a
> possible intruder:
> Why should any HTTP client care which OS my server is using?

There are services that create statistics of the whole internet based on the
Server header. Including Debian there gives an idea how much servers run
Debian compared to other OSs, and which release of Debian. Therefore I prefer
not to change the default. I don't think the bandwith waste is relevant in
most setups. On systems where it is, the admin can change the  setting, of
course.

While it is true that knowing the OS may give a potential advantage to an
attacker, it is usually also possible to infer this information from other
properties of the default configuration. If your security depends on the OS
being secret, you have bigger problems.

Cheers,
Stefan

Reply | Threaded
Open this post in threaded view
|

Bug#843014: Direktoriaus kontaktai - tai Jūsų klientas

Gautas pranešimas
In reply to this post by Heinrich Schuchardt-2
Laba diena,

Noriu Jus informuoti apie šių metų pasikeitimą dėl atnaujintos visos Lietuvos įmonių bazės 2018 metų sausio vidurio.
Visi juridiniai asmenys pateikti bazėje yra veikiantys, realiai vykdantys veiklą, turintys įdarbintų darbuotojų. Duomenys pagal Sodrą, Registrų centrą.
 
Bazėje nurodoma ir apyvarta, darbuotojų atlyginimai, darbuotojų skaičius, transporto skaičius ir daug kitų duomenų, kuriuos matysite pavyzdyje.
 
Duomenis galima filtruoti pagal veiklas, miestus ir kitus duomenis.
 
 
Šią bazę verta turėti visoms įmonėms. Pateiksiu priežastis:
 
1) Kontaktai pateikti bazėje direktorių ir kitų atsakingų asmenų, didelė tikimybė Jums surasti naujų klientų, partnerių, tiekėjų, kai tiesiogiai bendrausite su direktoriais, komercijos vadovais.
 
2) Konkurentų analizavimas, tiekėjų atsirinkimas pagal Jums reikalingus kriterijus, galite atsifiltruoti pagal įmonės dydį, bazėje nurodoma kiek įmonės skolingos Sodrai.
 
3) Lengva, greita ir patogu dirbti su šia baze, elektroninius pašto adresus galite importuoti į elektroninių laiškų siuntimo programas ar sistemas iš kurių siunčiate elektroninius laiškus.
Taip pat galite importuoti mobiliųjų telefonų numerius į SMS siuntimo programas.
 
 
Išsirinkite iš "Veiklų sąrašo" veiklas kurių Jums reikia.
( Sąrašas prisegtas laiške excel faile )
 
Parašykite, kurias veiklas išsirinkote 
ir atsiųsime pavyzdį ir pasiūlymą su sąlygomis įmonių bazei įsigyti


Pagarbiai,
Tadas Giedraitis
Tel. nr. <A style="COLOR: rgb(17,85,204)" href="tel:+370%20678%2081041" rel="noopener noreferrer" target=_blank>+37067881041

Veiklos.xlsx (19K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#843014: Quotation Inquiry #RFQ170619E - New Supplier

Hidroconta Trading Ltd.
In reply to this post by Heinrich Schuchardt-2
Hello,

Our partners referred your company to us. Regarding your great products.
Please see required products, quantity and specifications as attached.

Kindly give us your lowest possible prices for FCL shipment.


Best Regards,

Wanda Rodriguez
Purchase Assistant

Hidroconta Trading Ltd.
Av. de Sta. Catalina,
60, 30012 Murcia, Spain
Phone: +34 968 26 77 66
Fax: +34 968 26 77 06

Reply | Threaded
Open this post in threaded view
|

Bug#843014: Apache2: ServerTokens Minimal

receive
In reply to this post by Heinrich Schuchardt-2
Hi there,
just would like to add my opinion.

First of all,
thank you Stefan for tagging this as "wontfix".

To be honest, for myself these tokens are essential for debugging
customer appliances without having access to their services. We're able
to identify their server software easily through these headers and are
able to provide proper support services to them.
Further they're enabling us to gather simple statistical information
throughout our monitoring.

Further, normal users are able to gather simple information by a simple
nmap scan of their server which services are running on it if they're
unexperienced in usage.
Some tutorials rely on these headers and if we wouldn't have them
anymore, we couldn't use them also properly anymore. Just google abit
and you'll find one quite fast.

All in all, they're quite nice to have.
If anyone feels annoyed of them, they're able to turn it of.
I don't think we should remove it by default. As Stefan already
mentioned they could be a security issue - but as a black hat you could
gather the server information anyway quite fast if youre experienced
enough.

Best wishes,
Anna Sdvoijspa