Results 1 to 4 of 4
  1. #1
    Newbie tmcoadmin's Avatar
    Join Date
    Dec 2007
    Location
    Lincoln, Nebraska, USA
    Posts
    2

    Default Disable Trace/Track in UT web server

    I need to disable the "TRACE/TRACK" on UT.

    Long story short, our bank is having us run a "security scan" by a third-party, and it's bitching about port 58746, the one used to access spam quarantine.

    I would like to disable http trace/track, and just want someone to hold my hand a bit, to make sure I don't do something irretrievable.

    So, can someone point me in the direction I need to go? Is there something easier/better I can do to effect the same result?

    Thank you kindly, in advance.

    Below, see the output of the security scan regarding this issue. IPs have been masked to protect the guilty.

    Code:
    Threat ID: 111213
    Details:
    
    IP Address: 123.456.789.00
    Host: 123.456.789.00
    Path:
    
    THREAT REFERENCE
    
    Summary:
    HTTP TRACE / TRACK Methods Allowed
    
    Risk: High (3)
    Type: Nessus
    Port: 58746
    Protocol: TCP
    Threat ID: 111213
    
    Information From Target:
    To disable these methods, add the following lines for each virtual
    host in your configuration file :
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    
    Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
    support disabling the TRACE method natively via the 'TraceEnable'
    directive.
    
    Nessus sent the following TRACE request :
    
    ------------------------------ snip ------------------------------
    TRACE /Nessus1929482914.html HTTP/1.1\r
    Connection: Close\r
    Host: h00.987.654.321.static.ip.windstream.net\r
    Pragma: no-cache\r
    User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)\r
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r
    Accept-Language: en\r
    Accept-Charset: iso-8859-1,*,utf-8\r
    Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=\r
    \r
    ------------------------------ snip ------------------------------
    
    and received the following response from the remote server :
    
    ------------------------------ snip ------------------------------
    HTTP/1.1 200 OK\r
    Date: Tue, 21 Jun 2011 01:55:24 GMT\r
    Server: Apache\r
    Keep-Alive: timeout=15, max=100\r
    Connection: Keep-Alive\r
    Transfer-Encoding: chunked\r
    Content-Type: message/http\r
    \r
    \r
    TRACE /Nessus1929482914.html HTTP/1.1\r
    Connection: Keep-Alive\r
    Host: h00.987.654.321.static.ip.windstream.net\r
    Pragma: no-cache\r
    User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)\r
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r
    Accept-Language: en\r
    Accept-Charset: iso-8859-1,*,utf-8\r
    Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=\r
    \r
    ------------------------------ snip ------------------------------
    
    Solution:
    Disable these methods. Refer to the plugin output for more information.Details:
    
    The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
    Last edited by tmcoadmin; 06-23-2011 at 01:32 PM.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,173

    Default

    If you're referring to disable HTTP Trace, that is in /etc/apache2/conf.d/security

    By default the directive from Debian enables Trace There is a line commented that disables it, you just have to move the # from one line to the other.

    Interesting that the security file has the headers set to production, default is full. So UT is modifying things in that file. I wonder why they left trace on.
    Last edited by sky-knight; 06-23-2011 at 05:08 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie tmcoadmin's Avatar
    Join Date
    Dec 2007
    Location
    Lincoln, Nebraska, USA
    Posts
    2

    Default

    Thank you, Rob. I'll try that in the morning, and tell the scanning company to "Play it again, Sam." In a few days, I'll get the results and let you know.

    Cheers,
    Chris

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,173

    Default

    If you make a change to that file, don't forget to restart apache or reboot.

    apache2ctl restart

    I should point out that I've been running with trace disabled since 7.4 without issue. I had forgotten about this little adjustment when I reloaded. Trace is disabled again.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2