Created attachment 237 [details] Patched global.conf By default, the IPFire webserver adds a very detailled footer, containing version number, loaded modules and so on. This is not recommended for servers running in a productive environment. Only the configuration file "global.conf" in /etc/httpd/conf needs to be changed. Attatched is a possible solution.
In case of errors, lighthttp adds a very detailled footer to the error page, containing version number, loaded modules (php, ssl, ...) and their versions. This is a security risk because it discloses installed and loaded modules. To avoid this, set "ServerTokens" in /etc/httpd/conf/global.conf to "Prod". lighthttp then only prints the product ("Apache"). Attatched is a possible solution.
I accepted this patch although this does not really change anything. This is open source software, unless you are running an outdated version it is publicly known which version of apache is running with which modules. http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=becbf67de73290f43fd6658c2c66c6e174d6afe2
(In reply to Michael Tremer from comment #2) > I accepted this patch although this does not really change anything. This is > open source software, unless you are running an outdated version it is > publicly known which version of apache is running with which modules. Of course, just hiding the version information doesn't change anything. In my opinion, the version information have no function so it is safe to disable them since nobody needs them and they make it more easy for an intruder to detect wether you run the latest version of IPFire or not. Because of that, I thought it might be useful to disable them. > > http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff; > h=becbf67de73290f43fd6658c2c66c6e174d6afe2 Thanks for accepting it, I hope I didn't annoyed you.