Hey Guys
If you run a website or blog and you are in charge of the server such as on a VPS you might not want to let everyone know what version of apache or Linux you are running on.
this gives potential attackers information that can use to attack your site. For example, if an attacker browses your site and receives a message saying that apache 2.4.x has encountered a problem then the attacker knows what exact version of apache you are running they can then check against things like http://vuldb.com to find vulnerabilities.
Especially if you are running an outdated version that may be buggy But we are always running the latest code right so we need not worry ???
LOL we know that’s not always the case as patching systems still is a problem for many organizations
keeping up to date with things like patching is the single most important thing you can do for your systems.
So what can we do the reduce the information we send from our webserver. see below
Default behavior
By default when you surf to a page that is running apache you can use your browser’s developer tools (usually by pressing F11) to see the HTTP responses from the given server see below
We see the Server HTTP header that shows we are running apache 2.4.6 on a centos operating system
| ETag |
“1321-5058a1e728280”
|
| Keep-Alive |
timeout=5, max=98
|
| Last-Modified |
Thu, 16 Oct 2014 13:20:58 GMT
|
| Server |
Apache/2.4.6 (CentOS) PHP/7.2.20
|
A quick search on vulndb.com shows the following exploits related to apache 2.4 now granted that doesn’t mean you’re in you still need the expertise to apply these exploits but the point is we now have information that the site willingly gives up ! yay for hackers Doh for admins!
Ok, let’s fix it! so the fix is dead simple all you need to do is add the following lines to your httpd.conf or apache2.conf file depending on what OS you are using
For Debian/Ubuntu
use your text editor and edit /etc/apache2/apache2.conf
add the following lines to the bottom
ServerSignature Off
ServerTokens Prod
For Centos/RHEL
/etc/httpd/httpd.conf
Now reload your apache service
Ubuntu/Debian
systemctl restart apache2
Centos/RHEL
systemctl restart httpd
And now go back to the page and reload while checking the headers you should see the following response
| ETag |
“1321-5058a1e728280”
|
| Keep-Alive |
timeout=5, max=100
|
| Last-Modified |
Thu, 16 Oct 2014 13:20:58 GMT
|
| Server |
Apache
|
As you can see all the information that is given out now is simply apache, not the version and not the underlying OS
See simple and helpful no need to give out more info than we need to!
You can also see my video on this below
Hi,
I suggest set expose_php = Off in php.ini too. Without this anyone can easily find out PHP version:
lynx -head https://url
HTTP/1.1 200 OK
Date: Wed, 15 Sep 2021 06:07:42 GMT
Server: Apache
X-Powered-By: PHP/7.4.8