Quote:
Originally posted by goBigtime
Sumthin tells me you should be making sure your SSL enabled webservers are (and have been) using a safe version of OpenSSL instead of worrying how to block requests for /sumthin
If your server responses with something other than your 404 page when you hit https://www.yourserver.com/sumthin -- then you have problems & should contact your system administrator for a complete reinstallation.
|
Thanks for the advice.
I'm administrating it myself and all software is up to date. And you are right, there was attacks to some servers with old version OpenSSL right after checking them.
One more thing to do would be putting those to httpd.conf file.
ServerTokens prod
ServerSignature off
Those makes apache to stop giving software & versions at header. It just gives "Apache" instead of detailed info. Of course that is not a protection but it feels better when it doesn't gives them what they want.