Back to Posts List

Server Masking - First Line of Defense

Share this article

Posted on March 15th, 2011 by Victoria Pal in Tech
Protect your serverThere are various ways to protect a web server. Web servers often become victims of DDoS attacks and it is not uncommon for exploits to be used to gain access or break a web server. Protection comes in different forms and levels, the costs vary, but sometimes there are simple solutions. This one you can implement today. You can mask your server. When looked up, the server can say anything. I mean it, anything. It is probably a good practice to not make up something like “WSP Unbreakable Server 1.3.5”, but to instead choose one from the existing web server platforms.

There are two ways to go about this. You can make your server identify as a completely different server or just to say it is an older version of the server you run. When you choose to make your Lighttpd server identify as Apache, you take a great portion of amateur attacks and direct them in a completely wrong direction. On the other hand, if you decide to simply identify as an older version, 3rd parties who try anything funny will probably try to exploit your server with outdated tactics. It can still be useful. What actually works best is to change the name and version of the server. This should take care of at least some malevolent eyes.

Server mask
Many sites use this. Torrent trackers are one good example. Most of these sites do not use Apache as trackers usually go for Lighttpd or Nginx. From the example above you can see that the web server powering the site is Apache 1.3.29. This is actually quite old now. The latest stable release is Apache 2.2.17.

There is actually a bit more to it than just masking your server’s name. If you are running a Windows server (secure enough, but it can use some tweaks), there is a commercial software solution. It takes care of more than just server name change. It’s called ServerMask. Like with most commercial software there is a free trial for you to try. A great solution for Apache is Mod_Security.

If you like to know more about this and how to implement it your self, try searching the web for “server banner strings”, “apache binary patching”, “web server mask” and similar queries. You should be able to find all the information you need. It is quite a lot so I can’t have it all in one post.

Let us know how that turns out for you!

Victoria Pal

Doesn't like queuing (particularly at Wimbledon). Likes travelling, tennis and reading. Loves working as a Project Manager at WebSitePulse.

comments powered by Disqus