Activities

October 2013
M T W T F S S
« Sep   Nov »
 123456
78910111213
14151617181920
21222324252627
28293031  

Apache Web Server : Disable TRACE or TRACK method

HTTP TRACE / TRACK Methods are enabled by default on all CPanel servers. This may lead debugging functions are enabled on the remote web server and hence an attacker can use this server.

How do I disable it,

If you were using WHM/Cpanel, it can be done through admin UI as shown below,

1. Access your Web Hosting Manager (WHM)
2. Under Service Configuration, click the link for Apache Configuration
3. Click the Global Configuration link
4. The second option is TraceEnable. Set this to OFF.
5. Restart Apache

apache-security

2. Disable HTTP TRACE/TRACK using .htaccess file.
You may need to add the following lines in your .htaccess file.

RewriteEngine on
 RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
 RewriteRule .* - [F]

How do I verify the settings are correctly set,

a. telnet to server IP.

This should respond with waiting on a character. This proves the connection can not be made, and you will only be able to exit from it by pressing CONTROL-C on your keyboard.

[root@rc-025 conf]# telnet 27.17.21.27 80
Trying 27.17.21.27...
Connected to server27-17-2-27.live-servers.net (27.17.21.27).
Escape character is '^]'.
Connection closed by foreign host.
[root@rc-025 conf]#

2. There is a Web UI available to verify it,

http://web-sniffer.net/ .Open this site and input the url you want to test, hit the trace option button. You will see the HTTP Status response showing “Status: HTTP/1.1 405 Method Not Allowed” once it is properly setup.

apache_trace

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>