[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Proftpd Security Update 2.0.1 - New

Subject: Re: [cobalt-security] Proftpd Security Update 2.0.1 - New
From: Dan Keller <cobalt@xxxxxxxxxx>
Date: Wed, 19 Feb 2003 16:31:19 -0800
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

At 11:09 AM 2/17/2003 +0000, Menno M Jansz wrote:

>Add the following to your httpd.conf:
>
>ServerTokens ProductOnly

Good idea!  According to the Apache doc,
this should prevent the server from identifying
the OS and the Apache version.  Withholding
information from potential hackers
seems like a good idea.

Alas, it doesn't appear to work... 

I run a RaQ2 and have religiously applied all the updates.

Here's what I did:
1. added the above directive to /etc/httpd/conf/httpd.conf
2. restarted Apache
3. telnetted to Apache and made this request:
   get / http/1.0  <cr>  <cr>

The header that came back included the following:

Server: Apache/1.3.3 Cobalt (Unix)  (Red Hat/Linux)

What I had expected was:

Server: Apache

What am I doing wrong?

Many thanks for any light you can shed!

Dan Keller

References:
- Re: [cobalt-security] Proftpd Security Update 2.0.1 - New
  - From: paul jacobs
- Re: [cobalt-security] Proftpd Security Update 2.0.1 - New
  - From: Menno M Jansz

Prev by Date: Re: [cobalt-security] Re: [RAQ4] Denying specific IP from DNS traffic
Next by Date: [cobalt-security] Proftpd Security Update 2.0.1 - New
Previous by thread: Re: [cobalt-security] Proftpd Security Update 2.0.1 - New
Next by thread: [cobalt-security] Proftpd Security Update 2.0.1 - New

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index