Where can I set ServerTokens for ispconfig?

[Telesat]

I have set "ServerTokens ProductOnly" for apache2 in /etc/apache2/apache2.conf and it is working perfectly (only showing Apache).

Then I have tried to set it also for ispconfig (httpd = apache1) but it is not working. I've tried to put it in the following files (with no result after restarting ispconfig_server):

/root/ispconfig/httpd/conf/httpd.conf
/root/ispconfig/httpd/conf/httpd.conf_http
/root/ispconfig/httpd/conf/httpd.conf_https

I have not tried to reboot the server, but I don't think that it would help. Does anyone know where to set such an important option for security?

Thanks in advance.

[martinfst]

Security by Obscurity is no security at all. It helps a bit, but you should never rely on masquerading and think you're save.

I've done it myself for the regular Apache2 server like you, but I never bothered to look at ISPconfig. It's either running on port 81 (default) or it's running https on port 80 (like I did on a separate IP on the same box). See the forum on how to do that.

[Telesat]

Martin, I'm aware of it, AFAIK my servers are secure, but what about a zero-day exploit for 1.3.37? Give a 0-day to any script-kiddie and will try to find the affected servers by its signature: I don't feel like having it, and you? If you did it for your apache2, why didn't you bother about ispconfig?

I have upgraded to ISPC 2.2.11 some hours ago. I discovered that the firewall in ISPC was bastille when I installed bastille. I have psad, port-knocking, logcheck, rkhunter, chkrootkit, perfect permissions, and some other security tools and I know exactly what they do, and how to use them. I also know how to change ports and IPs depending on the service in apache, or in any other program.

You tell me to go to the forum and find... what? Isn't it a bad RTFM? Of course I've searched in the fora, have you found an answer to my question?

[martinfst]

There's no need to get upset. How should we be able to tell how much you know about security and how well (or not) you protected your servers? You write nothing about your background (no need to), but blaming me for probably a typo is not very nice. If you can't accept critical questions, you shouldn't be on the internet.

Back to your original question, just for the sake of this thread, I added

Code:

ServerTokens ProductOnly

to /root/ispconfig/httpd/conf/httpd.conf, and restarted ISPConfig:

Code:

/etc/init.d/ispconfig_server restart

I added the ServerTokens line at line 288 (of a 2.2.9 install) after the (commented) ServerName directive. It's working as expected.

[Telesat]

Hello Martin

Thanks for your time and for the update, but it is not working in my servers: nor in old 2.2.10 neither in new 2.2.11.

No typos here: before asking I had tried with

Code:

ServerTokens ProductOnly

and with

Code:

ServerTokens Prod

in the place you say and 800 lines later, inside

Code:

##
## SSL Virtual Host Context
##

<VirtualHost _default_:XY>

I didn't get upset, see the smiley in the title of the answer ( ). Of course I can accept critical questions, whenever they have some kind of base. Maybe my Junior status made you think I was a noob, that's good: I like to see how beginners are treated in each place.

I think that everyone may be allowed on the Internet, with some minor exceptions: crackers, pirates, trolls, flamers, FUDers, pederasts, fascists, criminals, terrorists...

My tech background (not necessary, I know): Computer Science and Telecommunications Engineering (both are 5 year university degrees in my country). BTW security by obsolence is not security at all either

Did anyone manage to do it in the 2 more recent versions of ISPConfig? Should I fill a bug ticket? May I become an ISPC developper to fix this issue?

[falko]

Take a look here: http://httpd.apache.org/docs/1.3/mod...l#servertokens
http://httpd.apache.org/docs/1.3/mis...l#serverheader

Don't forget to restart ISPConfig after your changes.

[Telesat]

Sorry falko, I knew this info, but it is not working for me

When I find the right place to put the ServerTokens, I'll come back and tell you.

[falko]

I'm confused now. You want to change the ServerTokens for the ISPConfig server (port 81), not for the main Apache, right?

Did you modify /root/ispconfig/httpd/conf/httpd.conf or another file?

[Telesat]

Hi,

I'm confused also, I modified the file /etc/apache2/apache2.conf and it worked like a charm: when I point http://SERVER_IP/er404 I get:

Code:

Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again. 
If you think this is a server error, please contact the webmaster. 
Error 404
SERVER_IP
Fri Mar 9 15:15:51 2007
Apache

Then I wanted to modify the configuration for ISPC, which originally uses https://domain.tld:81. My /root/ispconfig/httpd/conf/httpd.conf is the default file provided with ispconfig 2.2.11 (and 2.2.10). I tried modifying it, but when pointing at: https://SERVER_IP:81/er404 I get:

Code:

404 Not Found
Not Found
The requested URL /er404 was not found on this server.
Apache/1.3.37 Server at SERVER_IP Port 81

I tried to modify these files also, but it didn't help:
- /root/ispconfig/httpd/conf/httpd.conf_http
- /root/ispconfig/httpd/conf/httpd.conf_https

Could you please confirm that it is working for you in ISPConfig 2.2.10 or 2.2.11?

Thanks for your help

[martinfst]

After you modified /root/ispconfig/httpd/conf/httpd.conf, did you restart the ISPC webserver:

Code:

/etc/init.d/ispconfig_server restart

?