Forum OpenACS Q&A: AOL Server Query: changing server header response

Hi,

Anyone know how to setup AOL Server such that it doesn't reveal all when probed by a "curl -I IPXX.XX.XX.XX." type query?

In Apache, you can add "ServerTokens Prod" - is there something similar in AOL Server?

Thanks for any help,
Cheers Roland.

Collapse
Posted by Chris Davies on
while security through obscurity isn't the best thing, you can probably grep through the code and find where it returns the header with the server name.

Culling the AOLServer 4.0 release tarball, it looks like nsd/return.c line 461 could be commented out or changed to whatever you want, however, that is but one of the problems.

Now that you've hidden the server type, the script kiddies will start using all sorts of scripts to determine what you are running.  Then you need to sanitize OpenACS to not give any mention of itself, because that will also give away what you are running.  Then consider your 4xx/5xx pages, because they might give some indication what is running.  Then you need to probably change the way your server responds to particular error conditions.  i.e., if you know that /acs-admin/ should exist, that will give away what you are running.  Or the forgot your password email might have some mention of the MUA/server handler in the headers.

Then you need to sanitize the cookies that are set.  I believe ad_session_id is set which might give some indication that you are running OpenACS, and therefore would follow that you are running Aolserver -- easily allowing one to try different exploits.

All of these of course assume a number of things -- that you r attackers are hitting you through the web server.  Identification of the target machine is usually the first step in the process.  Knowing it runs AOLServer, there might be some exploits that could be used.  There are many ways to protect yourself and add layers, whether it be chrooting AOLServer or running it behind a proxy or load balancer.

But then, you still have the issue that using nmap, one still might be able to identify the OS you are running, and the other services on the box that might be running.  At that point, there are other attacks that could be staged -- ones that might be easier than going through nsd.

With GRsecurity's patches, you can alter the pid numbers, alter the TCP sequence numbers and a number of other things to the point where nmap will only give a 50% possibility that you are running Linux and 84% that you are running Windows... and you can use ACLs and lock many things and have an unbreakable chroot (save for the recent kernel exploit in linux).

Personally, changing the server fingerprint just doesn't do enough to prevent the dedicated hacker/defacer from going about his work, and really, it doesn't make it too much easier since they usually use automated tools to do their dirty work.  Might save a few kb across the line, or a few cpu cycles because it can intelligently skip past tests where it already knows the answer -- but, most of the scripts I have seen blindly run every test on every host and catalog the interesting ones.

So, whether it makes sense to change the server type, I think that is the least of the worries.  Are you also changing the fingerprints of ssh, ftp, your smtp software and any other services that might answer on other ports?

Collapse
Posted by roland dunn on
Hurumph, OK, thanks alot for the advice.

Do you know, or does anyone know, of any FAQ's/documentation on how to password protect a folder in AOL server so you get a username/password dialog box appearing?

Thanks

Collapse
Posted by Kjell Wooding on
Nope. Changing the server string doesn't stop a dedicated attacker.

It can, however, make it a LOT noisier in the logs when a script kiddy takes a poke at you, which may be desirable.

As long as you don't rely on the "obscurity" behavior as a replacement for keeping the box patched, and so on, it certainly doesn't make the system any less secure.

Collapse
Posted by Randy O'Meara on
Roland,

If you're looking for the equivalent of apache's "basic" auth functionality, you'll want to use/configure the AOLserver nsperm module. Configuration consists of:

adding files to <server_root>/modules/nsperm:
    group
    passwd
    perms

and adding to your service's startup config.tcl:
    ns_section ns/server/${server}/modules
    ns_param  nsperm          ${bindir}/nsperm.so

Check aolserver.com for additional info.

Randy

Collapse
Posted by Brian Fenton on
You could also try putting something like this code (taken from nstelemetry) into a filter which runs just for your directory:
## Nasty-cheap authenticator.
if {[ns_conn authuser] != "nsadmin" || [ns_conn authpassword] != "x"} {
    ns_returnunauthorized
    ns_adp_break
}