{"id":707,"date":"2019-11-11T14:02:37","date_gmt":"2019-11-11T13:02:37","guid":{"rendered":"https:\/\/www.tiraquelibras.com\/blog\/?p=707"},"modified":"2019-12-26T17:00:16","modified_gmt":"2019-12-26T16:00:16","slug":"ocultar-banner-para-apache-postfix-y-dovecot-en-debian9","status":"publish","type":"post","link":"https:\/\/blog.tiraquelibras.com\/?p=707","title":{"rendered":"Ocultar banner para Apache, Postfix y Dovecot en Debian9"},"content":{"rendered":"<p>Existen distintos m\u00e9todos para identificar qu\u00e9 versi\u00f3n corre un programa concreto que se encuentra instalado en un servidor. Si adem\u00e1s este servidor tiene una conexi\u00f3n p\u00fablica el riesgo al que se expone es muy elevado, sobre todo cuando no se sigue una pol\u00edtica peri\u00f3dica de actualizaciones.<\/p>\n<p>Alguno de estos m\u00e9todo tienen como objetivo obtener el <em><strong>banner<\/strong><\/em> que se muestra al realizar una conexi\u00f3n <strong>TCP\/IP<\/strong>, utilizando programas como <strong>Telnet, NetCat, OpenSSL,<\/strong> <strong>Wget, <\/strong>&#8230;<\/p>\n<p>Con esta informaci\u00f3n un atacante solo tendr\u00eda que buscar el <em><strong>CVE<\/strong><\/em> correspondiente a la versi\u00f3n publicada en el servidor objetivo, y comenzar a explotar sus vulnerabilidades.<\/p>\n<p>Una buena pr\u00e1ctica es ocultar esta informaci\u00f3n, que adem\u00e1s algunos programas publican por defecto tras su instalaci\u00f3n. A continuaci\u00f3n se muestra la manera de ocultarlo para programas tan populares como\u00a0<strong>Postfix, Dovecot\u00a0<\/strong>y\u00a0<strong>Apache<\/strong> corriendo bajo un servidor con\u00a0<strong>Debian 9<\/strong>.<\/p>\n<hr \/>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Tabla de contenidos<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a0c76b661791\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a0c76b661791\"  aria-label=\"Alternar\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=707\/#Postfix\"  rel=\"nofollow\" target=\"_blank\">Postfix<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-2 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=707\/#Dovecot\"  rel=\"nofollow\" target=\"_blank\">Dovecot<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-3 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=707\/#Apache\"  rel=\"nofollow\" target=\"_blank\">Apache<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-4 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=707\/#Conclusion\"  rel=\"nofollow\" target=\"_blank\">Conclusi\u00f3n<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"Postfix\"><\/span>Postfix<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Para ocultar el\u00a0<em><strong>banner<\/strong><\/em><em>\u00a0<\/em>en\u00a0<strong>Postfix<\/strong> debemos de editar el archivo\u00a0<em><strong>\/etc\/postfix\/main.cf<\/strong><\/em><em>\u00a0<\/em>y cambiar la configuraci\u00f3n del par\u00e1metro <em><strong>smtpd_banner<\/strong><\/em>. Recuerda hacer un <em>backup<\/em> previo del archivo.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># sudo cp \/etc\/postfix\/main.cf \/etc\/postfix\/main.cf.orig\r\n# sudo nano \/etc\/postfix\/main.cf<\/pre>\n<p>Ocultamos cualquier informaci\u00f3n que nos exponga a un riesgo:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">#smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)\r\nsmtpd_banner = $myhostname ESMTP\r\n<\/pre>\n<p>Reiniciamos el servicio de <strong>Postfix<\/strong>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># sudo systemctl restart postfix<\/pre>\n<p>Con el comando <strong>NetCat<\/strong>, <em><strong>nc<\/strong><\/em>, comprobamos que no se muestra informaci\u00f3n de software ni versiones instaladas:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># nc email.tiraquelibras.com 25\r\n220 email.tiraquelibras.com ESMTP\r\n<\/pre>\n<hr \/>\n<h1><span class=\"ez-toc-section\" id=\"Dovecot\"><\/span>Dovecot<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Para ocultar el\u00a0<em><strong>banner<\/strong><\/em><em>\u00a0<\/em>en\u00a0<strong>Dovecot<\/strong> editamos el archivo <em><strong>\/etc\/dovecot\/dovecot.conf<\/strong> <\/em>y editamos el par\u00e1metro <em><strong>login_greeting<\/strong><\/em>. Recordar hacer un <em>backup<\/em> previo del archivo:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># sudo cp \/etc\/dovecot\/dovecot.conf \/etc\/dovecot\/dovecot.conf.orig\r\n# sudo nano \/etc\/dovecot\/dovecot.conf<\/pre>\n<p>Editamos el par\u00e1metro <em><strong>logging_greeting <\/strong><\/em>que muestra el <em><strong>banner<\/strong> <\/em>al realizar una conexi\u00f3n:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># Greeting message for clients.\r\n#login_greeting = Dovecot ready.\r\nlogin_greeting = MailServer managed by Tiraquelibras.<\/pre>\n<p>Reiniciamos el servicio\u00a0<strong>Dovecot<\/strong>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># sudo systemctl restart dovecot<\/pre>\n<p>Si realizamos una conexi\u00f3n a uno de los puertos por los que escuche <strong>Dovecot<\/strong> observamos el nuevo <em>banner<\/em>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># openssl s_client -connect 127.0.0.1:993\r\n...\r\n---\r\n* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] MailServer managed by Tiraquelibras.\r\n<\/pre>\n<hr \/>\n<h1><span class=\"ez-toc-section\" id=\"Apache\"><\/span>Apache<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Para ocultar el\u00a0<strong><em>banner<\/em><\/strong> publicado por\u00a0<strong>Apache<\/strong> debemos de editar el archivo <em><strong>\/etc\/apache2\/apache2.conf<\/strong><\/em> y agregar las siguientes l\u00edneas, previo <em>backup<\/em> del archivo:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># sudo cp \/etc\/apache2\/apache2.conf \/etc\/apache2\/apache2.conf.orig\r\n# sudo nano \/etc\/apache2\/apache2.conf\r\n<\/pre>\n<p>Agregamos las siguientes l\u00edneas al final del documento, si no existieran:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># OCULTAR LA VERSION DE APACHE\r\nServerTokens Prod\r\nServerSignature Off\r\n<\/pre>\n<p>Y si ademas usamos\u00a0<strong>PHP<\/strong> debemos de editar su archivo de configuraci\u00f3n. En mi caso uso\u00a0<strong>PHP7<\/strong>. Para obtener el archivo de configuraci\u00f3n ejecutamos el siguiente comando:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># sudo php -i | grep \"Loaded Configuration File\"\r\nLoaded Configuration File =&gt; \/etc\/php\/7.0\/cli\/php.ini\r\n<\/pre>\n<p>Editamos el archivo resultante, previo backup:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># sudo cp \/etc\/php\/7.0\/cli\/php.ini \/etc\/php\/7.0\/cli\/php.ini.orig\r\n# sudo nano \/etc\/php\/7.0\/cli\/php.ini<\/pre>\n<p>Cambiamos la configuraci\u00f3n del par\u00e1metro\u00a0<em><strong>expose_php<\/strong><\/em><em>\u00a0<\/em>a\u00a0<em><strong>Off<\/strong><\/em><em>:<\/em><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">; Decides whether PHP may expose the fact that it is installed on the server\r\n; (e.g. by adding its signature to the Web server header).  It is no security\r\n; threat in any way, but it makes it possible to determine whether you use PHP\r\n; on your server or not.\r\n; http:\/\/php.net\/expose-php\r\n;;;expose_php = On\r\nexpose_php = Off\r\n<\/pre>\n<p>Reiniciamos el servicio de <strong>Apache<\/strong>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># sudo systemctl restart apache2<\/pre>\n<p>Confirmamos el <strong><em>banner<\/em> <\/strong>publicado:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># lynx -head -mime_header http:\/\/localhost\r\nHTTP\/1.1 200 OK\r\nDate: Mon, 11 Nov 2019 12:54:01 GMT\r\nServer: Apache\r\nX-XSS-Protection: 1; mode=block\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\nLast-Modified: Mon, 11 Nov 2019 12:54:01 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0\r\nCache-Control: post-check=0, pre-check=0\r\nPragma: no-cache\r\nConnection: close\r\nContent-Type: text\/html; charset=utf-8\r\n<\/pre>\n<p>Antes se mostraba la versi\u00f3n, por ejemplo <em><strong>Server: Apache\/x.x.xx (Debian)<\/strong><\/em>.<\/p>\n<hr \/>\n<h1><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusi\u00f3n<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Con estos sencillos pasos podemos securizar un poquito m\u00e1s nuestros servicios publicados en Internet, ocultando las pistas que los atacantes intentan obtener previamente con t\u00e9cnicas de <strong><a href=\"https:\/\/www.solvetic.com\/tutoriales\/article\/2740-tecnicas-footprinting-y-fingerprinting-para-recoger-informacion\/\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">Fingerprinting<\/a><\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Existen distintos m\u00e9todos para identificar qu\u00e9 versi\u00f3n corre un programa concreto que se encuentra instalado en un servidor. Si adem\u00e1s este servidor tiene una conexi\u00f3n<span class=\"read-more-link\"><a class=\"read-more\" href=\"https:\/\/blog.tiraquelibras.com\/?p=707\">Read More<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":709,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,10,22],"tags":[91,89,90,92],"class_list":["post-707","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ciberseguridad","category-sistemas","category-ti","tag-banner","tag-fingerprinting","tag-hacking","tag-securizar"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts\/707","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=707"}],"version-history":[{"count":0,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts\/707\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/media\/709"}],"wp:attachment":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}