Author |
|
Kanashii
Joined: 17 Jul 2006 Posts: 155 Location: Porando
|
Posted: Fri 12 Mar '10 17:56 Post subject: mod_fcgi & mod_secutity SecServerSignature |
|
|
SecRuleEngine On
ServerTokens Full
SecServerSignature "(unknown)"
Whe i use ServerTokens Full and new mod_fcgi i see in
header (unknown) mod_cfgi 2.5....
should be
(unknown)
How to fix this eany know |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 12 Mar '10 18:29 Post subject: |
|
|
Change ServerTokens to Prod
SecRuleEngine On
ServerTokens Prod
SecServerSignature "(unknown)" |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 12 Mar '10 18:33 Post subject: |
|
|
SecServerSignature should override regardless of tokens. However, if fcgi is loaded after mod_security ... I can see how it could slip it's signature in there. Try putting fcgi above mod_security in the Loadmodules section. |
|
Back to top |
|
Kanashii
Joined: 17 Jul 2006 Posts: 155 Location: Porando
|
Posted: Fri 12 Mar '10 20:06 Post subject: |
|
|
change to prod
[error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
Try putting fcgi above mod_security in the Loadmodules section.
(unknown) mod_fcgid/2.3.5
the same wrrr |
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Fri 12 Mar '10 20:17 Post subject: Loading status |
|
|
This actually illustrates an interesting question, is there a proper order that modules and config files ought to be loaded?
Perhaps better to post in a new thread. Which I will do. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 12 Mar '10 20:41 Post subject: |
|
|
Reproduced ... bug in mod_security possibly
However, hiding your signature really isn't going to save you from anything. Anyone hammering on your server is going to know what your running regardless of what you tell them. Which is why there is no way to do this in Apache itself ... although it has been proposed many times.
============================================
Apache HTTP Server users suggest from time to time that the
ServerTokens directive allow the Server response header to be
eliminated completely. This feature suggestion is rejected for the
following reasons:
* The Apache HTTP Server project wants surveys of web server usage,
such as the well-known Netcraft survey, to more accurately represent
the actual use of Apache httpd. While some web server administrators
currently modify the Apache HTTP Server source code or install
third-party modules which can remove the Server header, too few
administrators do this to significantly alter the results. The same
may not be true if it is an easily-accessible feature.
* The Apache HTTP Server project believes that most people who want to
avoid sending the Server header mistakenly think that doing so may
protect their server from attacks based on known flaws in older Apache
HTTPD releases, when in fact the only reasonable way to address these
flaws is to upgrade to new Apache HTTPD releases which correct
security problems affecting your configuration. By restricting the
ability to configure Apache in this manner, we wish to raise awareness
of the need to upgrade when critical vulnerabilities are addressed.
===============================================
(*) and those who -use- the 'feature' can pay the penalty for clients which
choose not to trust that the anonymous server is capable of -correctly- serving
byterange, compression or other features which conserve server load - but aren't
consistently implemented properly by all HTTP/1.1 servers |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 16 Apr '10 16:57 Post subject: |
|
|
blah blah blah Gregg .. no one asked for commentary.
Anyhow, it is a bug and has been there for some time.
https://www.modsecurity.org/tracker/browse/MODSEC-88
I meant to post this weeks ago and forgot.
I think Apache2 loads in alphabetical order so no matter where you load the module, it probably will not help. |
|
Back to top |
|