When Apache generates any web pages or error pages, some important information about the version and other details implemented on the system are displayed in th web site server header. For example, the information text may be like this:
Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80
The line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.
To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf
- Login as root user or perform a sudo to the web server.
- Open and edit httpd.conf or apache2.conf (in Apache 2) with vi or other text editor. The Apache config
normally located in /etc/httpd/conf/ or /etc/apache2/ or /etc/apache/ (for Apache1.3) depending on which Unix you’re using. - Locate the line with ServerTokens. You can perform a search by typing “/ServerTokes” and hit Enter.
- In Apache 1.3, you will likely to see a line starts with #ServerTokes Full In this case, remove or delete the # character (by pressing d key). Also modify the Full to become Prod (press r key to replace one character, or R to replace multiple characters), so that the line becomes ServerTokens Prod. In Apache 2.0 or 2.2, the line normally does not exist. So the search will fail. In this case, go to the bottom of config file, and add the new line with the following text. You can add new line by pressing o key.ServerTokens Prod
- Next, search for ServerSignature. In Apache13, the line should just above the line of ServerTokens. Edit the line so that it looks like this, and in Apache2 which doesn’t already have this line, add in at new one.ServerSignature Off
- By now the Apache configuration file should have this two directives set as below:ServerSignature Off
ServerTokens ProdThe first line “ServerSignature Off” instructs Apache not to display a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, and etc) which displays server version number, ServerName of the serving virtual host, email setting, and creates a “mailto:” reference to the ServerAdmin of the referenced document.The second line “ServerTokens Prod” configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info. - Save and close the config file by pressing Shift-Colon, and then type wq keys, and hit Enter.
- Restart Apache. Typical command is service httpd restart or /etc/init.d/apache2 restart.
- Now, you will get only the Apache in the server response header:Server: Apache
5 Responses to “Make sure you hide your Apache headers!!”
- 1 Pingback on Sep 9th, 2009 at 7:00 pm
Sorry. Servertokens have nothing to do with security. If one fails to keep their software and OS current and does not correct unpatched vulnerabilities themselves, then THAT is a security problem. Attempting to hide out of date software will do nothing to prevent hacking attempts/successes.
I have left Apache running on Windows with full servertokens on busy websites for many years, not hacked once. Yes windows, no firewall, wide open on the internet, never hacked. Why? Because I don’t fall for all the crap that most people do.
I can do the same on QNX, FreeBSD, Slackware, VxWorks… etc… etc…
I hate to say it as it is so trite, but here it is:
Security through obscurity does not work. Period.
I have to agree and disagree with this. Being that obscurity only helps when your website is the one site the feel they need to hack. I have one server running apache with the tokens open for all the world to see that has been running for 4 years now, never had a single hack attempt. It hosts nothing of real value or anything that is inflammatory that invites attack.
On the other hand I also admin an a high traffic site, that is more prone to attack because of the content that resides there, so in this instance obscurity is your friend. Why? Because even though I keep my OS and software up to date, it does not mean updated software equals safe software. With that being said the latest software has holes just like anything else and if the hacker knows what I’m running it is that much easier for them to penetrate the system as they can look a security issues up on that particular version of apache or OS and see where I’m vulnerable.
So obscurity is your friend, while obscurity does not equal security, it does give you a better chance of avoiding or delaying attacks. And delaying attacks until I can apply a security patch keeps my servers safe.
I just found here what I was looking for, so thanks for that post.
After applying this, my server returns me “Apache” in the HTTP response header.
Does Apache allow to customiez this, and put “MyServer” instead, for instance ? Would that be enough to actually hide which server is running ?
Cool submit! How a lot stuff did it’s a must to search for so as to write this one? I can tell you put some work in.