#1  
Old 9th March 2012, 22:14
jtheed jtheed is offline
Member
 
Join Date: Jul 2007
Posts: 70
Thanks: 12
Thanked 4 Times in 3 Posts
Default Trace|track

We had a PCI scan done on our server and it says that TRACE and TRACK are enabled. I found several answers on the Web but they do not seem to work. I have TraceEnabled Off in conf.d/security file. I tried adding the following to my Server Directives in ISPCONFIG3
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

but you can still run a Trace. I have stopped and started apache2 and even reboot the box. Still Trace is enabled. I am testing it by using the following from another Linux Box.

Telnet hostname 80
TRACE / HTTP/1.0
Host: hostname
TestA: Hello
TestB: World
enter enter
and I get a reply from the Server
Type Apache
Date Current Date
Content Type ...
Content Length etc...

Is there a different way to make sure this service gets disabled?
Reply With Quote
Sponsored Links
  #2  
Old 9th March 2012, 22:21
kwickcut kwickcut is offline
Senior Member
 
Join Date: Nov 2005
Location: nj usa
Posts: 230
Thanks: 15
Thanked 11 Times in 10 Posts
Default

this may help u i used this on a machine for a friend i forge wear i found this hope it helps u.

TRACE is enabled by default in an apache installation. There are two ways to remediate. The first can be used if you are running Apache 1.3.34, 2.0.55, or anything in the 2.2 release. Simply add the TraceEnable directive into your httpd.conf and set the value to Off.

The second mechanism involves creating a mod_rewrite rule that will disable http methods, which is also quite popular and works with ANY version of apache that supports mod_rewrite. The directives below would need to be set, which are written assuming that this is the first time use for mod_rewrite.

The first thing to do is make sure that mod_rewrite is loaded. If mod_rewrite.so is missing from your apache configuration but you have it installed, (and your install location is /usr/local/apache), then add the following statement to your httpd.conf:

LoadModule rewrite_module "/usr/local/apache/modules/mod_rewrite.so"

Then add the following as well to your httpd.conf file:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Restart apache, re-run the steps in the Validation section, and with either method, you should receive an HTTP 405-Method Not Allowed status code back.
__________________
Operating system Ubuntu Linux 10.04.4
ISPConfig Version: 3.0.4.3
Webmin version 1.580
Kernel and CPU Linux 2.6.32-40-server on x86_64
Processor information AMD Phenom(tm) II X4 945 Processor, 4 cores
Real memory 4.0 GB total
Reply With Quote
  #3  
Old 9th March 2012, 22:36
jtheed jtheed is offline
Member
 
Join Date: Jul 2007
Posts: 70
Thanks: 12
Thanked 4 Times in 3 Posts
 
Default

Thank you for the quick response, but that's the first article I found and it did not work for me.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 15:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.