« Compressing HTML Content in Tomcat 6 | Main | Weekend Post: Articles from 8/9 to 8/15 »

08/15/2008

Apache Configuration and PCI Compliance - Configuration Change #1

If you are a web site administrator running Apache, one of the most important server configuration directives you must set, a lesson that I have sorely learned over the past couple weeks, is to set the following in your httpd.conf:

    ServerTokens Prod
    ServerSignature Off

A third party PCI Scan at some point inspects the headers on a response to a request and reads the value returned in the "Server" HTTP Response Header.  If you don't have ServerTokens defined at all, the default behavior for apache httpd is "Full", which returns the apache version, OS and OS version, and the version number of many modules. On Redhat Linux, the default is set to "OS". If you are running Apache 2.2.4 and PHP 4.4.0 for example, an http "Server" response header that looks something like this when ServerTokens is not set or set to "All":

Server: Apache/2.2.4 (Unix) PHP/4.4.0

Seeing this, the PCI scanner will tag you with many, many vulnerabilities that you then must remediate and will force an upgrade of all your systems on you that might not be at the most convenient time within your organization. Setting ServerTokens to "Prod" (or "ProductOnly"), you will only see "Apache" in the http response header and the pci scanning utility can not automatically tag you with a whole bunch of vulnerabilities without doing some other kind of intelligent assessment first.

If you are not using a custom error page for every potential type of http response code, apache will default with a built-in response page.  The footer of the web server generated error page will contain the Apache version, OS version, and the version number of any additional modules like mod_php, mod_perl, mod_jk, etc., that may be active (or may have been compiled into the version of apache you are running).  Simply unloading the module responsible for providing PHP support, for example, is not enough to remove the version information from the footer (or from the Server header).  Setting ServerSignature to "Off" turns this information off in the footer of these server-generated pages.

NOTE:  If you are using a version of apache newer than version 2.0.44, then the information provided in the footer is also controlled by ServerTokens so setting a ServerSignature directive is not necessary.

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01156fbc6fe6970c01157228813c970b

Listed below are links to weblogs that reference Apache Configuration and PCI Compliance - Configuration Change #1:

Comments