Data Centers

Prevent Web servers from identifying themselves

Help prevent intrusions by concealing a Web server's identity.

The primary mechanisms for detecting hacks are intrusion detection systems. Unfortunately, many of these products generate a lot of false positives and may allow an actual hack attempt to go undetected. While all intrusion detection systems work differently, generally they monitor network traffic and look for anything out of the ordinary.

For example, if your Web server gets a million requests a day over port 80 but none over port 25, then a request over port 25 would be considered unusual and should be reported by an intrusion detection system. Nonetheless, hackers know these systems look for abnormal traffic patterns and therefore make every effort to blend in so that their activities will go unnoticed by the system. However, by concealing your Web server's identity, you can make a hacker's attempts a little more noticeable.

Information gathering
One way that hackers blend in is by gathering information about the server before beginning a hack. For example, few people would deny that, if left unpatched, Microsoft's Internet Information Server (IIS) and the underlying Windows operating system has hundreds, if not thousands, of potential vulnerabilities that could be exploited in an effort to gain an unauthorized level of access to a system.

One of the first things a hacker looks at is the HTTP header information to find out what Web server software is running. If the hacker were to discover that the server was running IIS 5.0, then he or she could begin exploiting known IIS 5.0 security weaknesses. If, on the other hand the hacker were to find out that the server was running Apache, they would try some of the various Apache hacking techniques. Figure A displays header information that's available to anyone from the Web server hosting

Figure A
Web servers disclose a lot of technical information to anyone who asks.

Most Web servers are all too happy to disclose their identities and software versions. Also, different types of Web servers expect different types of traffic. For example, a request (outside of casual Web browsing) that might be considered normal for an Apache server would be considered abnormal for an IIS server. An intrusion detection system looks for abnormal traffic, so it only makes sense that a hacker would work within the confines of what is considered normal for the protected Web server.

Concealing identity
What if you could program your Web server to lie about its underlying software? For example, you could make an IIS Server pretend to be an Apache server. Then a hacker attempting to break in to your Web site would use hacking techniques intended for Apache servers. These techniques should stick out like a sore thumb and be picked up by your intrusion detection software.

You could even prevent the IIS server from giving up its identity at all. Then a hacker would be forced to perform additional probing to determine the server type. Hopefully, this additional probing would also be picked up by your intrusion detection system.

There are no mechanisms built in to the Windows operating system or IIS that allow you to obscure the identity or version information of IIS. However, there are companies that make products designed to modify the HTTP header for the purpose of obscuring or misidentifying the server's identity.

There is one tool that I've found that helps conceal an IIS header, as well as other server information. The tool is called ServerMask, and it's made by a company called Port80 Software. I really like this software because it goes the extra mile in trying to block most of the techniques that hackers use to identify a Web server. I also like that it is easy to install, has a very small footprint, and it doesn't seem to impact the performance of the Web server that it's protecting. You only need one license per server, regardless of how many Web sites that server may host. A license costs $49.95, with discounts given for five or more licenses. There is also a 30-day trial available for download on the company's Web site.

Source code vulnerability
Although software like ServerMask does a good job of obscuring the type of Web server you're using, keep in mind it isn't foolproof. For example, a hacker may be able to open your home page in a Web browser, use the View Source option, and gain enough information just by looking at the source code to determine what type of Web server you're running.

Granted, ASP source code is interpreted at the server level, so the source code that the hacker sees is not the full code. However, there are still clues scattered throughout the code. For example, you can see in Figure B that this sample of code from my Web site gives away several clues. It uses a Windows character set and makes calls to other pages written in ASP. As if that weren't enough, there is a meta tag explaining that the site is a Windows-specific portal. If this isn't a clue as to what operating system I'm using, I don't know what is.

Figure B
Source code often yields clues to the server type.

Other areas of concern
Hackers may also look at something as simple as the file extension of the server page to determine the Web server. For example, if a Web page uses the ASP extension, the hacker can be sure that they are dealing with a Windows server running IIS. Also, they could look for the presence of WebDav, a Microsoft specific HTTP public header (a relic left over from HTTP 1.0), or even ASP session cookies. Obviously, you can never be too careful when it comes to concealing information about your network's Web servers.

Editor's Picks