Apache-logo

Protecting Apache by removing version signatures and Server info

Hey Guys

If you run a website or blog and you are in charge of the server such as on a VPS  you might not want to let everyone know what version of apache or Linux you are running on.

this gives potential attackers information that can use to attack your site. For example, if an attacker browses your site and receives a message saying that apache 2.4.x has encountered a problem then the attacker knows what exact version of apache you are running they can then check against things like http://vuldb.com  to find vulnerabilities.

Especially if you are running an outdated version that may be buggy  But we are always running the latest code right so we need not worry ???

LOL we know that’s not always the case as patching systems still is a problem for many  organizations

keeping up to date with things like patching is the single most important thing you can do for your systems.

 

So what can we do the reduce the information we send from our webserver. see below

 

Default behavior

By default  when you surf to a page that is running apache you can use your browser’s developer tools (usually by pressing F11)  to see the HTTP responses from the given server see below

We see the Server HTTP header that shows we are running apache 2.4.6 on a centos operating system

ETag
“1321-5058a1e728280”
Keep-Alive
timeout=5, max=98
Last-Modified
Thu, 16 Oct 2014 13:20:58 GMT
Server
Apache/2.4.6 (CentOS) PHP/7.2.20

 

A quick search on vulndb.com shows the following exploits related to apache 2.4 now granted that doesn’t mean you’re in you still need the expertise to apply these exploits but the point is we now have information that the site willingly gives up ! yay for hackers Doh for admins!

 

vuldb-search

 

Ok, let’s fix it! so the fix is dead simple all you need to do is add the following lines to your httpd.conf or apache2.conf file depending on what OS you are using

 

For Debian/Ubuntu

use your text editor and edit /etc/apache2/apache2.conf

add the following lines to the bottom

ServerSignature Off
ServerTokens Prod

For Centos/RHEL

/etc/httpd/httpd.conf

Now reload your apache service

Ubuntu/Debian

systemctl restart apache2

Centos/RHEL

systemctl restart httpd

And now go back to the page and reload while checking the headers you should see the following response

ETag
“1321-5058a1e728280”
Keep-Alive
timeout=5, max=100
Last-Modified
Thu, 16 Oct 2014 13:20:58 GMT
Server
Apache

As you can see all the information that is given out now is simply apache, not the version and not the underlying OS

See simple and helpful no need to give out more info than we need to!

 

You can also see my video on this below

 

 

 

1 thought on “Protecting Apache by removing version signatures and Server info

  1. Hi,
    I suggest set expose_php = Off in php.ini too. Without this anyone can easily find out PHP version:
    lynx -head https://url
    HTTP/1.1 200 OK
    Date: Wed, 15 Sep 2021 06:07:42 GMT
    Server: Apache
    X-Powered-By: PHP/7.4.8

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.