# Apache security. Can not clear some issues.



## ghostcorps (Apr 7, 2012)

Hi guys,

 I have been using Metasploit, a pen-testing framework, to find all the holes in my server. It then links me to the suggested fixes but even though I am sure I have fixed a bunch of them they are still showing. Can you suggest what I may have missed? Here are the issues that I am sure I have fixed:

*Apache Server mod_info is Publicly Accessible* *SOLVED* _server-info was redirecting back to the home page, this confided the scanner_

The link advises that I comment out the server-info lines as such:


```
#<Location /server-info>
      #  SetHandler server-info
      #</Location>
```

Which I have done in ../apache22/extras/http-info.conf

Even after restarting this issue is still reported by Metasploit.

*WebDAV Extensions are Enabled* *SOLVED* _As above_

The link says to disable mod_dav which I have done by commenting out the DAV lines as such:


```
#LoadModule dav_module libexec/apache22/mod_dav.so
#LoadModule dav_fs_module libexec/apache22/mod_dav_fs.so
# Distributed authoring and versioning (WebDAV)
#Include etc/apache22/extra/httpd-dav.conf
```

I also moved ../apache22/extras/http-dav.conf to ../http-dav.conf.bak

But it is still being reported.


*TLS/SSL Server Supports Weak Cipher Algorithms* *SOLVED* - _Thirdparty tool confirms sslV2 is _disabled.

The link says to replace the SSLCipherSuite line in /../apache22/extras/http-ssl.conf with this:


```
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
```

But the issue is still reported 

These are not particularly difficult things to change. What could I possibly be doing wrong? I have even restarted the server to be sure the changes are picked up. I made an info.php page and can not see either mod_dav orf server-info. Should I just ignore these as false positives?


----------

