Some notes are copied from Champlain College Canvas materials

• Open a new tab in Chrome
• Hit F12 to open developer mode
• Browse to your web server
• In Developer Window-Click Network Tab - Click on your site
• In the Response Header - you should see the Apache Version
• Document for submission the version you are running
  • Apache/2.4.37(rocky)OpenSSL/1.1.1k

• Exposing the version of your Apache server means you are helping hackers with the reconnaissance process.

Fixing this:

• Go to $Web_Server/conf folder
• Modify httpd.conf by using vi editor
• Add the following directive and save the httpd.conf:

ServerTokens Prod
ServerSignature Off

• Restart apache systemctl restart httpd
• ServerSignature will remove the version information from the page generated by errors like 403, 404, 502, etc. on the Apache web server. ServerTokens will change Header to production only, i.e. Apache
• Use Google Chrome Developer (F12) - Network - and look at Response Headers --> Apache version should be gone.

Disable directory listing in a browser so the visitor doesn’t see wall the file and folders you have under root or subdirectory. Let’s test what it looks like with default settings.

cd /var/www/html
mkdir test
cd test
echo "chao" >> hi.text
echo "chao chao" >> hello.txt

Now, let’s try to access Apache by going to http://ip_address/test:

Restricting Directory Browsing:

• Go to $Web_Server/conf directory
• Open httpd.conf using vi --> vi /etc/httpd/conf/httpd.conf
• Search for the web root Directory (/var/www/html) and change Options directive to None

<Directory /var/www/html>
...
Options None
....
</Directory>

• Restart Apache --> sudo systemctl restart httpd

Now, let’s try to access Apache by http://localhost/test:

Now go to http://your-server_IP/test/hi or http://your-server_IP/test/hello --> You should still be able to see your files

By default, the Trace method is enabled in Apache web server. The TRACE method will echo back whatever is in the Request. It was originally used to troubleshoot to make sure the server was receiving properly formatted headers from the client

Having this enabled can allow Cross Site Tracing attacks and potentially allowing a hacker to steal cookie information. Let’s see how it looks in the default configuration.

• Install telnet if command is not found yum install telnet
• From your web servers command line - you can open a telnet session to Apache on itself
• Make a TRACE request as shown below

#telnet localhost 80 
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 
Host: test
(enter)
(enter)

• As you can see above, the TRACE request responded to the query and echoes back the request (start line and headers).

Try sending it some different requests - as long as the general format is correct, it should work regardless of what you type. For example:

TRACE /blahblahblah!!! HTTP/1.1
Host: ToTheMoon
Meaningless: NonSense

Should echo Back what your wrote

Now imagine including a script in that request:

TRACE /<script>foo</script> HTTP/1.1
Host: ToTheMoon
Meaningless: NonSense <script>bar</script>

• If that works - you can now see that even javascript can be injected in the TRACE request response which could be used to access headers meant for one site (such as authentication tokens) and send them to another. Known as Cross-Site Tracing (XST):

Disabling Trace

• Go to $Web_Server/conf directory
• Add the following directive and save the httpd.conf:

 TraceEnable off

• Restart apache

Verification:

• Telnet to the web server and make a TRACE request as shown below

#telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 
Host: test
(enter)
(enter)

• As you can see above, the TRACE request has blocked request with a HTTP 405 Method Not Allowed.