How to Hide apache software version
I will talk in this post about setting two apache directives: ServerTokens and ServerSignature and how they can be used. Basically to provide only a minimal amount of information we will set this in the main config to:
ServerTokens ProductOnly
ServerSignature OffThat’s it… For a more detailed describtion check out the rest of the post….
ServerTokens
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.
- globally set in main server config.
- the default is set to Full (ServerTokens Full). So if your Linux distribution has not overwritten this, then you will be presenting all the possible information to the world. For example RHEL will set this to ServerTokens OS, while Debian will not set anything leaving it to default (Full).
Possible values:
| ServerTokens Setting | Server Banner Header |
| ProductOnly | Server: Apache |
| Major | Server: Apache/2 |
| Minor | Server: Apache/2.0 |
| Minimal | Server: Apache/2.0.55 |
| OS | Server: Apache/2.0.55 (Debian) |
| Full (or not specified) default | Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b |
Starting with apache version 2.0.44, this directive also controls the information presented by the ServerSignature directive described bellow.
ServerSignature
This directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, etc.).
- this can be set also outside the global server config in virtual hosts, per directory or .htaccess.
- the default is off (ServerSignature Off), but some particular Linux distributions might enable this. For example Debian package enables ServerSignature on the default vhost.
- be careful that setting this to Off can be overwritten on vhosts or directory level. So you might want to be sure that this is not the case.
Possible values:
Off (default): suppresses the footer line
On: adds a line with the server version number and ServerName of the serving virtual host. After version 2.0.44, the details of the server version number presented are controlled by the ServerTokens directive.
EMail: includes all the information set with ON and additionally creates a “mailto:” reference to the ServerAdmin.
Note: setting the directives shown to provide minimal information will not make your server more secure. If you have vulnerable versions you should upgrade them as soon as possible. Still, there are many worms that will check this banner and if they find something they like (for example a vulnerable mod_ssl) they will launch the attack. But there are also many such worms that will not check anything and just try to exploit any server… Also there are other complex fingerprinting applications that can find out various information about your web server even with these directives set to minimum… But even in this case there are many advantages and they will not be able to get such accurate information as presented in the apache banner.
Conclusion: if you want to provide minimum information about your system set this in your main apache config:
ServerTokens ProductOnly
ServerSignature Off
you can also grab the RSS feed or Subscribe to Techgurulive by Email
Not Getting
The MinSpareServers directive specifies the minimum number of idle servers that should be maintained in the process pool. These servers are waiting for requests. You specify the number of minimum...
By now you must be familiar with a lot of configure options. However, each Web server administrator operates under different circumstances and is influenced by different perceptions. To me, the...
