How do we modify the 'Server' string in Zope? My boss is on a security kick, and somebody got him stuck on the term 'banner grabbing'. I just want to put something in there that doesn't identify the server or version. Thanks, Rick
On Tue, 2003-09-30 at 17:46, D. Rick Anderson wrote:
How do we modify the 'Server' string in Zope? My boss is on a security kick, and somebody got him stuck on the term 'banner grabbing'. I just want to put something in there that doesn't identify the server or version.
Are you hosting zope behind apache? You may need to do your trickery there... -- mitchy
Nope. No apache. Just a straight Zope server behind a firewall. Thanks, Rick Mitch Pirtle wrote:
On Tue, 2003-09-30 at 17:46, D. Rick Anderson wrote:
How do we modify the 'Server' string in Zope? My boss is on a security kick, and somebody got him stuck on the term 'banner grabbing'. I just want to put something in there that doesn't identify the server or version.
Are you hosting zope behind apache? You may need to do your trickery there...
-- mitchy
D. Rick Anderson wrote:
Nope. No apache. Just a straight Zope server behind a firewall.
HA. If your boss cares about security, then ZServer's banner is the least of his worries with that kind of arangement. ZServer is not a production-worthy HTTP server, treating it as one will definately create security problems. -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
Apache forwards it, e.g. from a query via Apache: Server: Zope/(Zope 2.6.1 (source release, python 2.1, linux2), python 2.1.3, freebsd4) ZServer/1.1b1 I don't believe in relying on security-through-obscurity, but that does strike me as a bit too informative. Mitch Pirtle wrote:
On Tue, 2003-09-30 at 17:46, D. Rick Anderson wrote:
How do we modify the 'Server' string in Zope? My boss is on a security kick, and somebody got him stuck on the term 'banner grabbing'. I just want to put something in there that doesn't identify the server or version.
Are you hosting zope behind apache? You may need to do your trickery there...
-- mitchy
I don't believe in relying on security-through-obscurity...
I couldn't agree more, but it shows up as a 'warning' in Nessus, and my boss wants it cleared up. I don't intend to 'rely' on that, but why give some dough-head out there more information than you have to? I've done it to our servers that ARE running apache with: ServerTokens Prod and then all they return is "Apache" without any versioning info, and if you set: expose_php = Off in your /etc/php.ini it won't barf out all of your PHP version information either. I just want to know how to do it in Zope. Thanks, Rick
Mitch Pirtle wrote:
On Tue, 2003-09-30 at 17:46, D. Rick Anderson wrote:
How do we modify the 'Server' string in Zope? My boss is on a security kick, and somebody got him stuck on the term 'banner grabbing'. I just want to put something in there that doesn't identify the server or version.
Are you hosting zope behind apache? You may need to do your trickery there...
-- mitchy
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Looks like there's one line in ZServer/HTTPServer.py that does it all: SERVER_IDENT='Zope/%s ZServer/%s' % (ZOPE_VERSION,ZSERVER_VERSION) If you wanted to emulate the Apache production settings, you could change that to: SERVER_IDENT='Zope' D. Rick Anderson wrote:
I don't believe in relying on security-through-obscurity...
I couldn't agree more, but it shows up as a 'warning' in Nessus, and my boss wants it cleared up. I don't intend to 'rely' on that, but why give some dough-head out there more information than you have to? I've done it to our servers that ARE running apache with:
ServerTokens Prod
and then all they return is "Apache" without any versioning info, and if you set:
expose_php = Off
in your /etc/php.ini it won't barf out all of your PHP version information either. I just want to know how to do it in Zope. ....
That did it! Thanks! Rick Steve McMahon wrote:
Looks like there's one line in ZServer/HTTPServer.py that does it all:
SERVER_IDENT='Zope/%s ZServer/%s' % (ZOPE_VERSION,ZSERVER_VERSION)
If you wanted to emulate the Apache production settings, you could change that to:
SERVER_IDENT='Zope'
D. Rick Anderson wrote:
I don't believe in relying on security-through-obscurity...
I couldn't agree more, but it shows up as a 'warning' in Nessus, and my boss wants it cleared up. I don't intend to 'rely' on that, but why give some dough-head out there more information than you have to? I've done it to our servers that ARE running apache with:
ServerTokens Prod
and then all they return is "Apache" without any versioning info, and if you set:
expose_php = Off
in your /etc/php.ini it won't barf out all of your PHP version information either. I just want to know how to do it in Zope. ....
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Wednesday 01 October 2003 01:11, D. Rick Anderson wrote:
I don't believe in relying on security-through-obscurity...
I couldn't agree more, but it shows up as a 'warning' in Nessus, and my boss wants it cleared up. I don't intend to 'rely' on that, but why give some dough-head out there more information than you have to? I've done it to our servers that ARE running apache with:
ServerTokens Prod
and then all they return is "Apache" without any versioning info, and if you set:
expose_php = Off
in your /etc/php.ini it won't barf out all of your PHP version information either. I just want to know how to do it in Zope.
Thanks,
Rick
Actually this is useful: if you have a proxy in front of Zope and it passes the headers through unchanged any attacker will try to attack Zope rather than the proxy. Of course, it won't work. This is a bit of "security through obscurity", but any little bit helps. In the Pound logs we see every day quite a few nasty attempt against IIS servers which fail because Pound rejects them... So I suggest you try this tack with your boss - it may even sound "sophisticated" and "tricky" enough for him. If it doesn't help try some "based on this in-depth analysis of the current security threat level, I feel that an indirect approach to the solution may enhance our proactive stance". Shareholder value? Due dilligence? Multi-cultural? -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904
Robert Segall wrote:
Actually this is useful: if you have a proxy in front of Zope and it passes the headers through unchanged any attacker will try to attack Zope rather than the proxy. Of course, it won't work.
This is a bit of "security through obscurity", but any little bit helps. In the Pound logs we see every day quite a few nasty attempt against IIS servers which fail because Pound rejects them...
Stop. Read what you've said, it doesn't make any sense. You're claiming an attacker won't target your proxy server because it doesn't identify itself to the client. Then you turn right around and admit you see several attempted IIS exploits in your logs every day. Does your Zope server identify itself as IIS, does your gateway server? See where I'm going with this? -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
On Wednesday 01 October 2003 04:05, Jamie Heilman wrote:
Robert Segall wrote:
Actually this is useful: if you have a proxy in front of Zope and it passes the headers through unchanged any attacker will try to attack Zope rather than the proxy. Of course, it won't work.
This is a bit of "security through obscurity", but any little bit helps. In the Pound logs we see every day quite a few nasty attempt against IIS servers which fail because Pound rejects them...
Stop. Read what you've said, it doesn't make any sense. You're claiming an attacker won't target your proxy server because it doesn't identify itself to the client. Then you turn right around and admit you see several attempted IIS exploits in your logs every day. Does your Zope server identify itself as IIS, does your gateway server? See where I'm going with this?
Sorry, I may have not written as clearly as I should have (it is late at night here and I'm trying to wrap up something else). Imagine the setup where your web server is IIS (not Zope pretending to be one, but really IIS) and Pound is used as a proxy in front of it. Attackers who think they are dealing with IIS (because of the headers) try to attack it by the normal IIS-specific methods (mostly buffer overflows, Nimda/CodeRed). These attempts are caught and rejected by Pound - the log entries I was refering to. Granted, this is not that much security, but still two separate systems attempting to validate the same request by different methods (once the proxy, then the actual web server) should be better than one. It is also true that any proxy you use may introduce vulnerabilities of its own, which may be exploited. However, it is quite often the case that a proxy is a simpler piece of software than a web server, and thus easier to check for errors/vulnerabilities, and certainly easier to run in a root-jail, possibly on a separate machine. Hope this clears up the misunderstanding. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904
D. Rick Anderson wrote:
How do we modify the 'Server' string in Zope? My boss is on a security kick, and somebody got him stuck on the term 'banner grabbing'. I just want to put something in there that doesn't identify the server or version.
Zope has such a distinctive fingerprint that changing the Server header won't do a damn bit of good. Trying to obscure what software you're using never does anything but increase deployment and maintenance costs. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer
participants (5)
-
D. Rick Anderson -
Jamie Heilman -
Mitch Pirtle -
Robert Segall -
Steve McMahon