By Mike Mullins
In many organizations, Web server security starts with hardening the operating system (OS) and usually ends with creating a firewall rule or an access list on a router. However, the security profile for your Web server shouldn't end there.
Public Web servers are usually the weakest point in the security perimeter. You should take every step possible to maximize security on this public asset. Obscuring your Web server's identity by disguising and removing identifying details is a sound security principle. You can protect your Web server from hackers by changing your header information, renaming Web file extensions, and customizing error messages.
Stop header broadcasting
By default, your Web server broadcasts the OS and the type/version information about the Web application that's serving the Web pages. This information isn't necessary to the clients that visit your Web site, but hackers and crackers can find it very useful. So change your Web server's banner or header information.
On UNIX platforms running Apache Web servers, you can use the mod_headers module to configure your Web header to say just about anything you like. If your organization uses a Microsoft platform, install IIS LockDown and use the configuration options under the URLScan's .ini file for replacing the header. When using these tools, be aware that they can possibly corrupt scripting platforms such as ColdFusion, ASP, and PHP.
I'd recommend checking out a product such as ServerMask from Port80 Software. ServerMask can safely remove or modify a variety of information and add minutes to multiple pages or sites on a single server without corrupting the scripting engines that deliver your content. This step could decoy an attacker into running the wrong attack scripts, which will generate multiple log entries and increase your probability of detecting an attack.
Stop file extension broadcasting
Web page extensions can also reveal the type of server you're running. File extensions like .asp or .aspx give away an IIS-powered Web server. Change the application mapping and rename your Web pages to .web. Decide on an extension naming standard and change the application mapping for that new extension.
For Apache servers, use the mod_negotitation module to stop broadcasting file extensions. When using mod_negotiation to remove file extensions from your Web pages, remember that you'll also need to use the mod_headers module to suppress the Content Location Header.
Change error broadcasting
Error messages also tend to indicate specific Web platforms. Create custom error messages for the most common Web error messages (e.g., 404 and 403) to further disguise your Web server and the OS on which it's running.
Disguising your Web server won't make your site invulnerable to attacks or stop the ubercracker, but it'll definitely frustrate the efforts of less experienced script kiddies. And while obscurity doesn't take the place of a properly patched and configured server, it does enable you to reduce your target signature and force an attacker to move on to easier prey.
Don't give hackers and crackers valuable information about your servers. Security through obscurity isn't a new concept, but it's another valuable tool in your security toolbox.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.