A blog on Computer Science, Security, Programming, and more...

HeapSpray Blog » Security » View Post

23
Apr
2013

Service Fingerprinting

Written by Matt

Why is it that most services and daemons feel the need to relay their exact version and signature every time? It serves for statistics, but it does draw on security quite a bit when one knows everything about your setup from a GET request.

Compare the response from my local apache server that I used for development to the secure one I set for this server.

Default (more or less) Apache:

HTTP/1.1 200 OK
Date: Tue, 23 Apr 2013 03:04:29 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8r DAV/2 PHP/5.3.6 SVN/1.6.16
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "2a5ec-2c-3e9564c23b600"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html

Customized response (I had to edit nginx's source for this):

HTTP/1.1 200 OK
Server: Anonymous
Date: Tue, 23 Apr 2013 03:06:07 GMT
Content-Type: text/html
Connection: close
Set-Cookie: [...]
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

The former relays exact versions of 6 services which could be exploitable. For bots that scan the 'net passively and attempt canned exploits, reading the headers for which service versions are available would make them far more efficient. This masking won't do much to stop a single, focused attacker (though it won't hurt), but it does help a lot as far as guarding against passive exploitation scans.

Topic: Security tags: php, nginx, apache, http, bots
  • Name and Email fields are optional
  • Your email will not be public, only the administrator can see it
  • You are rate limited to one comment for every 10 minutes