'Security Through Obscurity'. This principle is used in securing computer systems by implementation of secrecy in design to provide security. The basic idea is not revealing details about the system or giving out wrong information in attempt to thwart possible attacks. Although this principle provides security upto some extent, it does not actually fix the vulnerability. The only possible benefit is the delay in information gathering phase (wikipedia). However i've been willing to try it out and here I'd like to share it...
I'll show you how to change apache server name to anything you wish (like windows IIS and so on) which will appear in HTTP response headers. The folloing screenshot shows default output of the apache server to nmap scan.
Here I am using apache2 on ubuntu box in VM.
First of all, we need to install mod_security apache module. We do that by typing the following commands on a shell.
root@ubuntu:~#apt-get update
root@ubuntu:~#apt-get install libapache-mod-security
Now that mod-security is installed, we need to enable it by typing:
root@ubuntu:~#a2enmod mod-security
You may want to restart your server at this point of time by typing:
root@ubuntu:~#/etc/init.d/apache2 restart
Navigate to the following directory:
/etc/apache2/conf.d/
and open the file "security" with your favorite editor. It should look something like this:
See the line "ServerTokens OS" ?
Replace that with "ServerTokens Full". (alternatively, you can comment out 'ServerTokens OS' and remove the comment on 'ServerTokens Full').
Scroll down a bit and you'll see this line: ServerSignature On
Replace this line with : SecServerSignature Microsoft-IIS/5.0
Note the difference. Here, you can replace "Microsoft-IIS/5.0" with any other name you want. This is the string which is going to appear in the HTTP responses of the server.
Save the file and exit. Restart the server typing in:
root@ubuntu:~#etc/init.d/apache2 restart
Now you're ready to fire up nmap and scan your host!
There it is! It showed our apache server as microsoft iis.
This technique can be used to temporarily mask the web server name while a critical unpatched vulnerability is existing.
However, there are many other ways a skilled hacker can determine the actual service and version running on the machine. One should not totally depend upon 'security through obscurity' principle and it should never be used as the primary defense against attacks.
Nothing beats secure application coding!
Please let me know your comments and suggestions.. :)
Thank you!
I'll show you how to change apache server name to anything you wish (like windows IIS and so on) which will appear in HTTP response headers. The folloing screenshot shows default output of the apache server to nmap scan.
Here I am using apache2 on ubuntu box in VM.
First of all, we need to install mod_security apache module. We do that by typing the following commands on a shell.
root@ubuntu:~#apt-get update
root@ubuntu:~#apt-get install libapache-mod-security
Now that mod-security is installed, we need to enable it by typing:
root@ubuntu:~#a2enmod mod-security
You may want to restart your server at this point of time by typing:
root@ubuntu:~#/etc/init.d/apache2 restart
Navigate to the following directory:
/etc/apache2/conf.d/
and open the file "security" with your favorite editor. It should look something like this:
See the line "ServerTokens OS" ?
Replace that with "ServerTokens Full". (alternatively, you can comment out 'ServerTokens OS' and remove the comment on 'ServerTokens Full').
Scroll down a bit and you'll see this line: ServerSignature On
Replace this line with : SecServerSignature Microsoft-IIS/5.0
Note the difference. Here, you can replace "Microsoft-IIS/5.0" with any other name you want. This is the string which is going to appear in the HTTP responses of the server.
Save the file and exit. Restart the server typing in:
root@ubuntu:~#etc/init.d/apache2 restart
Now you're ready to fire up nmap and scan your host!
There it is! It showed our apache server as microsoft iis.
This technique can be used to temporarily mask the web server name while a critical unpatched vulnerability is existing.
However, there are many other ways a skilled hacker can determine the actual service and version running on the machine. One should not totally depend upon 'security through obscurity' principle and it should never be used as the primary defense against attacks.
Nothing beats secure application coding!
Please let me know your comments and suggestions.. :)
Thank you!
No comments:
Post a Comment