Monday, January 7, 2008

Apache, disable debugging functions

I want to disable debugging function TRACE as recommended by Nessus rule 11213.

The Nessus rule has very precise guide for disabling:

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACETRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.


So in my Apache main config file I putted TraceEnable off.

I will check the Nessus scan results after these changes.
If you can not wait for that, you can use telnet to check if TRACE is actually off:
telnet your.server 80
TRACE / HTTP/1.1
Host: a.valid.hostname
sometext

2 comments:

Unknown said...

Would this be done by inserting the code into the apache hppd.conf?

Chty said...

yes