Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th March 2007, 18:14
Telesat Telesat is offline
Junior Member
 
Join Date: Feb 2007
Posts: 28
Thanks: 18
Thanked 1 Time in 1 Post
Question Where can I set ServerTokens for ispconfig?

I have set "ServerTokens ProductOnly" for apache2 in /etc/apache2/apache2.conf and it is working perfectly (only showing Apache).

Then I have tried to set it also for ispconfig (httpd = apache1) but it is not working. I've tried to put it in the following files (with no result after restarting ispconfig_server):

/root/ispconfig/httpd/conf/httpd.conf
/root/ispconfig/httpd/conf/httpd.conf_http
/root/ispconfig/httpd/conf/httpd.conf_https

I have not tried to reboot the server, but I don't think that it would help. Does anyone know where to set such an important option for security?

Thanks in advance.

Last edited by Telesat; 7th March 2007 at 05:40.
Reply With Quote
Sponsored Links
  #2  
Old 6th March 2007, 22:01
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

Security by Obscurity is no security at all. It helps a bit, but you should never rely on masquerading and think you're save.

I've done it myself for the regular Apache2 server like you, but I never bothered to look at ISPconfig. It's either running on port 81 (default) or it's running https on port 80 (like I did on a separate IP on the same box). See the forum on how to do that.
Reply With Quote
The Following User Says Thank You to martinfst For This Useful Post:
Telesat (23rd February 2008)
  #3  
Old 7th March 2007, 02:54
Telesat Telesat is offline
Junior Member
 
Join Date: Feb 2007
Posts: 28
Thanks: 18
Thanked 1 Time in 1 Post
Cool No one?

Martin, I'm aware of it, AFAIK my servers are secure, but what about a zero-day exploit for 1.3.37? Give a 0-day to any script-kiddie and will try to find the affected servers by its signature: I don't feel like having it, and you? If you did it for your apache2, why didn't you bother about ispconfig?

I have upgraded to ISPC 2.2.11 some hours ago. I discovered that the firewall in ISPC was bastille when I installed bastille. I have psad, port-knocking, logcheck, rkhunter, chkrootkit, perfect permissions, and some other security tools and I know exactly what they do, and how to use them. I also know how to change ports and IPs depending on the service in apache, or in any other program.

You tell me to go to the forum and find... what? Isn't it a bad RTFM? Of course I've searched in the fora, have you found an answer to my question?

Last edited by Telesat; 7th March 2007 at 08:02.
Reply With Quote
  #4  
Old 7th March 2007, 09:39
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

There's no need to get upset. How should we be able to tell how much you know about security and how well (or not) you protected your servers? You write nothing about your background (no need to), but blaming me for probably a typo is not very nice. If you can't accept critical questions, you shouldn't be on the internet.

Back to your original question, just for the sake of this thread, I added
Code:
ServerTokens ProductOnly
to /root/ispconfig/httpd/conf/httpd.conf, and restarted ISPConfig:
Code:
/etc/init.d/ispconfig_server restart
I added the ServerTokens line at line 288 (of a 2.2.9 install) after the (commented) ServerName directive. It's working as expected.
Reply With Quote
  #5  
Old 7th March 2007, 10:27
Telesat Telesat is offline
Junior Member
 
Join Date: Feb 2007
Posts: 28
Thanks: 18
Thanked 1 Time in 1 Post
Unhappy Not working in 2.2.10, 2.2.11

Hello Martin

Thanks for your time and for the update, but it is not working in my servers: nor in old 2.2.10 neither in new 2.2.11.

No typos here: before asking I had tried with
Code:
ServerTokens ProductOnly
and with
Code:
ServerTokens Prod
in the place you say and 800 lines later, inside
Code:
##
## SSL Virtual Host Context
##

<VirtualHost _default_:XY>
I didn't get upset, see the smiley in the title of the answer ( ). Of course I can accept critical questions, whenever they have some kind of base. Maybe my Junior status made you think I was a noob, that's good: I like to see how beginners are treated in each place.

I think that everyone may be allowed on the Internet, with some minor exceptions: crackers, pirates, trolls, flamers, FUDers, pederasts, fascists, criminals, terrorists...

My tech background (not necessary, I know): Computer Science and Telecommunications Engineering (both are 5 year university degrees in my country). BTW security by obsolence is not security at all either

Did anyone manage to do it in the 2 more recent versions of ISPConfig? Should I fill a bug ticket? May I become an ISPC developper to fix this issue?

Last edited by Telesat; 7th March 2007 at 10:33.
Reply With Quote
  #6  
Old 7th March 2007, 18:53
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Take a look here: http://httpd.apache.org/docs/1.3/mod...l#servertokens
http://httpd.apache.org/docs/1.3/mis...l#serverheader

Don't forget to restart ISPConfig after your changes.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
Telesat (23rd February 2008)
  #7  
Old 8th March 2007, 00:48
Telesat Telesat is offline
Junior Member
 
Join Date: Feb 2007
Posts: 28
Thanks: 18
Thanked 1 Time in 1 Post
Red face A good RTFM

Sorry falko, I knew this info, but it is not working for me

When I find the right place to put the ServerTokens, I'll come back and tell you.
Reply With Quote
  #8  
Old 8th March 2007, 18:28
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

I'm confused now. You want to change the ServerTokens for the ISPConfig server (port 81), not for the main Apache, right?

Did you modify /root/ispconfig/httpd/conf/httpd.conf or another file?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 9th March 2007, 15:16
Telesat Telesat is offline
Junior Member
 
Join Date: Feb 2007
Posts: 28
Thanks: 18
Thanked 1 Time in 1 Post
Unhappy Me too

Hi,

I'm confused also, I modified the file /etc/apache2/apache2.conf and it worked like a charm: when I point http://SERVER_IP/er404 I get:

Code:
Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again. 
If you think this is a server error, please contact the webmaster. 
Error 404
SERVER_IP
Fri Mar 9 15:15:51 2007
Apache
Then I wanted to modify the configuration for ISPC, which originally uses https://domain.tld:81. My /root/ispconfig/httpd/conf/httpd.conf is the default file provided with ispconfig 2.2.11 (and 2.2.10). I tried modifying it, but when pointing at: https://SERVER_IP:81/er404 I get:

Code:
404 Not Found
Not Found
The requested URL /er404 was not found on this server.
Apache/1.3.37 Server at SERVER_IP Port 81
I tried to modify these files also, but it didn't help:
- /root/ispconfig/httpd/conf/httpd.conf_http
- /root/ispconfig/httpd/conf/httpd.conf_https

Could you please confirm that it is working for you in ISPConfig 2.2.10 or 2.2.11?

Thanks for your help

Last edited by Telesat; 9th March 2007 at 15:19.
Reply With Quote
  #10  
Old 9th March 2007, 15:19
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
 
Default

After you modified /root/ispconfig/httpd/conf/httpd.conf, did you restart the ISPC webserver:
Code:
/etc/init.d/ispconfig_server restart
?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu-Server 6.10 As A Firewall/Gateway Vpn Server Problem steveomach3ww HOWTO-Related Questions 6 26th March 2007 13:35
Virtual Hosting: How do I set this up? VinceDee Installation/Configuration 7 12th December 2006 18:36
newbie ububtu 6.0.6 error PHP binary line 816 davidsky73 Installation/Configuration 8 17th September 2006 11:51
Empty Recycle Bin jon335 General 40 6th May 2006 11:56
Help....package missing sbovisjb1 Installation/Configuration 3 31st March 2006 11:14


All times are GMT +2. The time now is 16:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.