Topic: mod_fcgi & mod_secutity SecServerSignature

[Kanashii]

SecRuleEngine On
ServerTokens Full
SecServerSignature "(unknown)"

Whe i use ServerTokens Full and new mod_fcgi i see in

header (unknown) mod_cfgi 2.5....

should be

(unknown)

How to fix this eany know

[James Blond]

Change ServerTokens to Prod

SecRuleEngine On
ServerTokens Prod
SecServerSignature "(unknown)"

[glsmith]

SecServerSignature should override regardless of tokens. However, if fcgi is loaded after mod_security ... I can see how it could slip it's signature in there. Try putting fcgi above mod_security in the Loadmodules section.

[Kanashii]

change to prod

[error] SecServerSignature: original signature too short. Please set ServerTokens to Full.


Try putting fcgi above mod_security in the Loadmodules section.

(unknown) mod_fcgid/2.3.5

the same wrrr

[Brian]

This actually illustrates an interesting question, is there a proper order that modules and config files ought to be loaded?

Perhaps better to post in a new thread. Which I will do.

[glsmith]

Reproduced ... bug in mod_security possibly

However, hiding your signature really isn't going to save you from anything. Anyone hammering on your server is going to know what your running regardless of what you tell them. Which is why there is no way to do this in Apache itself ... although it has been proposed many times.

============================================

Apache HTTP Server users suggest from time to time that the
ServerTokens directive allow the Server response header to be
eliminated completely. This feature suggestion is rejected for the
following reasons:

* The Apache HTTP Server project wants surveys of web server usage,
such as the well-known Netcraft survey, to more accurately represent
the actual use of Apache httpd. While some web server administrators
currently modify the Apache HTTP Server source code or install
third-party modules which can remove the Server header, too few
administrators do this to significantly alter the results. The same
may not be true if it is an easily-accessible feature.

* The Apache HTTP Server project believes that most people who want to
avoid sending the Server header mistakenly think that doing so may
protect their server from attacks based on known flaws in older Apache
HTTPD releases, when in fact the only reasonable way to address these
flaws is to upgrade to new Apache HTTPD releases which correct
security problems affecting your configuration. By restricting the
ability to configure Apache in this manner, we wish to raise awareness
of the need to upgrade when critical vulnerabilities are addressed.

===============================================

(*) and those who -use- the 'feature' can pay the penalty for clients which
choose not to trust that the anonymous server is capable of -correctly- serving
byterange, compression or other features which conserve server load - but aren't
consistently implemented properly by all HTTP/1.1 servers

[glsmith]

blah blah blah Gregg .. no one asked for commentary.

Anyhow, it is a bug and has been there for some time.
https://www.modsecurity.org/tracker/browse/MODSEC-88

I meant to post this weeks ago and forgot.
I think Apache2 loads in alphabetical order so no matter where you load the module, it probably will not help.