On the web, malicious hackers typically try to exploit bugs or holes in un-patched versions of public web-servers. The Apache web-server is an obvious target, given that as of June 2008 Apache served 49.12% of all websites on the Internet. In fact, the Apache web-server is powering this blog and my network of other domains.When a client (most often a browser) makes an HTTP request to a web-server, the server responds with an HTTP response. The response contains a status line with a status code (e.g., HTTP/1.1 200 OK) and a set of response headers. Surprisingly, the Apache web-server embeds version information about itself in these HTTP response headers. If you are concerned about exposing the version of Apache you are running to the world, you may want to disable this. Hackers often look for specific versions of Apache with known bugs to pick-on, then target the site with various attack methods. Blocking this Apache version information in the HTTP response headers can make it more difficult for hackers to identify the version of Apache you are running and compromise your system(s). Continue reading for the HOWTO.
The trick is to adjust or add a few Apache directives (a.k.a. options) to your httpd.conf file. On a standard Fedora/Red Hat/CentOS install, the httpd.conf file can be found at /etc/httpd/conf/httpd.conf. Set "ServerSignature Off" and "ServerTokens Prod" in your httpd.conf file:
From the Apache documentation: "The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, ...). The ServerTokens directive controls whether the Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules."
I have yet to encounter a need to actually enable a Server Signature or provide information about the Apache version in the HTTP response headers. You can use the HTTPFox Firefox Extension to examine the HTTP response headers and verify that your server is, or is not, replying with version information in the response (as show below).
If you want to read up on why most admins hate the Apache web-server, take a look at Why I Hate The Apache Web Server!
FOLLOWUP 4/27/09:
If you're running PHP, you might also want to hide the X-Powered-By header inserted by PHP as I described in this post.
ServerSignature Off ServerTokens Prod
From the Apache documentation: "The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, ...). The ServerTokens directive controls whether the Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules."
I have yet to encounter a need to actually enable a Server Signature or provide information about the Apache version in the HTTP response headers. You can use the HTTPFox Firefox Extension to examine the HTTP response headers and verify that your server is, or is not, replying with version information in the response (as show below).
If you want to read up on why most admins hate the Apache web-server, take a look at Why I Hate The Apache Web Server!
FOLLOWUP 4/27/09:
If you're running PHP, you might also want to hide the X-Powered-By header inserted by PHP as I described in this post.
Did you find this post helpful, or at least, interesting?