16

I just noticed that my 403 Forbidden (the default, not a custom one) page displays some server info:

Apache/2.2.3 (Red Hat) Server at ... Port 80

Is revealing this information a security risk?

AviD
  • 72,708
  • 22
  • 137
  • 218
JD Isaacks
  • 365
  • 2
  • 8

4 Answers4

17

Revealing that information is a security risk, in the context of a security assesment of your website. (I'm talking about checkbox style assesments here)

Nothing more than that - it just makes fingerprinting the webserver more difficult, but by no means impossible - not even hard. It will not hinder any attacker specifically targeting the website not even a bit, although it will force him to take actions that will possibly hit some IDS. It may hinder some automated crawlers or mass attacks. though.

I would categorise this to the 'best practices' list.

john
  • 10,998
  • 1
  • 36
  • 43
  • It's always a matter of cost. Increasing the cost of attack is always a good thing, as long as applying that defense wouldn't be much of a cost to you. – Pacerier May 22 '15 at 11:20
16

Directly, no. This is a matter of security through obscurity. Removing the server headers do not remove the vulnerabilities and functions associated with it.

In the context of risk (risk = probability x consequence), it might decrease the possibility to be targeted by some automated tools who rely on fingerprinting your services. The consequences would remain the same.

This question have already covered this discussion about security through obscurity to a good extent. The accepted answer in that question has a very compelling argument, which I agree upon.

My thoughts on this are that obscuring information is helpful to security in many cases as it can force an attacker to generate more "noise" which can be detected. - Rory

Community
  • 1
Dog eat cat world
  • 5,769
  • 1
  • 27
  • 46
  • 2
    Agreed, knowing the server and version should not make you less secure if you have good patch management, hardening, access control, monitoring etc. But good practice is to minimize the amount of un-required information you leak to an attacker. – Rakkhi Jun 30 '11 at 14:32
  • 5
    Right, the most compelling argument I read from the provided link, was that removing information about running services, forces the attacker to provide more network noise to determine what you are running. – Dog eat cat world Jun 30 '11 at 14:34
  • 1
    exactly. If you don't just "give it" to them, they are potentially either going to have to do some noisy reconnaissance or 'guess' about what versions you are running (and thus possible try some attack avenues that are 'closed' and make even more noise) –  Jun 30 '11 at 19:49
2

It definitely provides some interesting information to possible attackers about your system (operating system, web server type and version). So i guess that it would be wise to either remove that information completely or change to something more generic/user friendly.

You should check your httpd.conf file for ServerTokens and ServerSignature in order to make the relevant changes.

Pavlos G.
  • 199
  • 1
  • 6
0

Showing banners and versions could affect the security of your system if there exist security vulnerabilities for that software and those versions. So, if you mantain your applications updated, showing the banners does not affect the security but if a security vulnerability exists, showing banners and versions reduce security.

This is also how OSSTMM will answer your question. Showing a banner or a version is an Exposure. Exposures only counts toward calculating RAVs if there are also associated to the Esposure a Vulnerability, if not, the Exposure does not count.

kinunt
  • 2,769
  • 2
  • 24
  • 30