diff --git a/exercises/h4.md b/exercises/h4.md index f0c786c..dbbf723 100644 --- a/exercises/h4.md +++ b/exercises/h4.md @@ -13,7 +13,7 @@ This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018) - [EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-deleting-server-field-from-http-header-by-updating-apache-source-code-on-debian-based-linux-distributions) - - [EXTRA: Disable userdir module for user nobody to avoid server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-avoid-server-detection) + - [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection) - [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment) @@ -417,7 +417,7 @@ Header unset ETag More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc. -### EXTRA: Disable userdir module for user nobody to avoid server detection +### EXTRA: Disable userdir module for user nobody to reduce server detection It is recommended to set `UserDir disabled nobody` in `/etc/apache2/mods-enabled/userdir.conf` file as Metasploit offensive scanning method `scanner/http/dir_scanner` can detect existence of URL/folder path `/~nobody`. Minimize attack vector, and just disable the userdir module for user `nobody` on the server as follows: