Apache Security Notes

Fixing Problems Reported by the Security Scan

There are two (2) separate, independent "vulnerabilites" that the security scan looks for in apache servers. Either or both may be reported for your server. Here are some notes on how to fix them.

1. ApacheServerTokenNotSet

This one is relatively easy to fix.

2. HTTPTraceEnabled

Fixing this one is often straightforward, but can be more complicated. If your webserver is running the tomcat "java servlet container" (as, for example, some elog installations do), be sure to see the final section. If you think you have fixed apache, but still have "trace enabled" on port 8080, again, check the tomcat notes below.

Update: For apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), this has been made easy. In section 1, just add the line
TraceEnable off
For older versions of apache, see below.

Disabling Trace in Tomcat

If you are running tomcat as part of your installation, you may also get a report about "trace enabled" on port 8080 (or similar port). Here is one example of how to fix this (for tomcat 4.0).

Author: John Bartelt