logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_fcgi & mod_secutity SecServerSignature
Author
Kanashii



Joined: 17 Jul 2006
Posts: 155
Location: Porando

PostPosted: Fri 12 Mar '10 17:56    Post subject: mod_fcgi & mod_secutity SecServerSignature Reply with quote

SecRuleEngine On
ServerTokens Full
SecServerSignature "(unknown)"

Whe i use ServerTokens Full and new mod_fcgi i see in

header (unknown) mod_cfgi 2.5....

should be

(unknown)

How to fix this eany know
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 12 Mar '10 18:29    Post subject: Reply with quote

Change ServerTokens to Prod

SecRuleEngine On
ServerTokens Prod
SecServerSignature "(unknown)"
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 12 Mar '10 18:33    Post subject: Reply with quote

SecServerSignature should override regardless of tokens. However, if fcgi is loaded after mod_security ... I can see how it could slip it's signature in there. Try putting fcgi above mod_security in the Loadmodules section.
Back to top
Kanashii



Joined: 17 Jul 2006
Posts: 155
Location: Porando

PostPosted: Fri 12 Mar '10 20:06    Post subject: Reply with quote

change to prod

[error] SecServerSignature: original signature too short. Please set ServerTokens to Full.


Try putting fcgi above mod_security in the Loadmodules section.

(unknown) mod_fcgid/2.3.5

the same wrrr
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Fri 12 Mar '10 20:17    Post subject: Loading status Reply with quote

This actually illustrates an interesting question, is there a proper order that modules and config files ought to be loaded?

Perhaps better to post in a new thread. Which I will do.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 12 Mar '10 20:41    Post subject: Reply with quote

Reproduced ... bug in mod_security possibly

However, hiding your signature really isn't going to save you from anything. Anyone hammering on your server is going to know what your running regardless of what you tell them. Which is why there is no way to do this in Apache itself ... although it has been proposed many times.

============================================

Apache HTTP Server users suggest from time to time that the
ServerTokens directive allow the Server response header to be
eliminated completely. This feature suggestion is rejected for the
following reasons:

* The Apache HTTP Server project wants surveys of web server usage,
such as the well-known Netcraft survey, to more accurately represent
the actual use of Apache httpd. While some web server administrators
currently modify the Apache HTTP Server source code or install
third-party modules which can remove the Server header, too few
administrators do this to significantly alter the results. The same
may not be true if it is an easily-accessible feature.

* The Apache HTTP Server project believes that most people who want to
avoid sending the Server header mistakenly think that doing so may
protect their server from attacks based on known flaws in older Apache
HTTPD releases, when in fact the only reasonable way to address these
flaws is to upgrade to new Apache HTTPD releases which correct
security problems affecting your configuration. By restricting the
ability to configure Apache in this manner, we wish to raise awareness
of the need to upgrade when critical vulnerabilities are addressed.

===============================================

(*) and those who -use- the 'feature' can pay the penalty for clients which
choose not to trust that the anonymous server is capable of -correctly- serving
byterange, compression or other features which conserve server load - but aren't
consistently implemented properly by all HTTP/1.1 servers Wink
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 16 Apr '10 16:57    Post subject: Reply with quote

blah blah blah Gregg .. no one asked for commentary.

Anyhow, it is a bug and has been there for some time.
https://www.modsecurity.org/tracker/browse/MODSEC-88

I meant to post this weeks ago and forgot.
I think Apache2 loads in alphabetical order so no matter where you load the module, it probably will not help.
Back to top


Reply to topic   Topic: mod_fcgi & mod_secutity SecServerSignature View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules