@ -12,14 +12,14 @@ This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018)
- [a) **Websites on the server** Make it possible to create home pages with normal user privileges in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#a-make-it-possible-to-create-home-pages-with-normal-user-privileges-in-your-virtual-server-environment)
- [a) **Websites on the server** Make it possible to create home pages with normal user privileges in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#a-make-it-possible-to-create-home-pages-with-normal-user-privileges-in-your-virtual-server-environment)
- [EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-deleting-server-field-from-http-header-by-updating-apache-source-code-on-debian-based-linux-distributions)
- [EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-deleting-server-field-from-http-header-by-updating-apache-source-code-on-debian-based-linux-distributions)
- [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-delete-suggestive-http-error-code-messages-from-apache-html-output-by-updating-apache-source-code)
- [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection)
- [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection)
- [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code]()
- [EXTRA: Additional protection by fine-tuning Apache HTTP headers]()
- [EXTRA: Additional protection by enabling ModSecurity module in Apache]()
- [EXTRA: Additional protection by fine-tuning Apache HTTP headers](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-additional-protection-by-fine-tuning-apache-http-headers)
- [EXTRA: Additional protection by enabling ModSecurity module in Apache](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-additional-protection-by-enabling-modsecurity-module-in-apache)
- [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment)
- [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment)
@ -431,7 +431,10 @@ More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a <CODE><MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
and
> Additionally, a 'CODE' 'MESSAGE' error was encountered while trying to use an ErrorDocument to handle the request.
The message can give a hint about underlying server configuration to a (hostile) client. Applying the patch to the Apache source code will remove the message from erroneous server response. Applying the patch may give little protection against hostile clients who are trying to identify the server you're running on your website.
The message can give a hint about underlying server configuration to a (hostile) client. Applying the patch to the Apache source code will remove the message from erroneous server response. Applying the patch may give little protection against hostile clients who are trying to identify the server you're running on your website.
@ -466,26 +469,6 @@ msf auxiliary(scanner/http/dir_scanner) > run
[*] Using code '404' as not found for AAA.BBB.XXX.CCC
[*] Using code '404' as not found for AAA.BBB.XXX.CCC
[+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC)
[+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC)
```
```
### EXTRA: Delete additional HTTP error code messages from Apache HTML output by updating Apache source code
[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output if multiple errors were encountered while processing the client request:
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a <CODE><MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
The message can give a hint about underlying server configuration to a client. Applying the patch to the apache source code will remove the message from erroneous server response.
As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments.
Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder: