Loading ...
Apache Tips & Tricks: Hide apache software version
Applies: apache 1.3.x / apache 2.0.x
Required apache module: – (included in core)
Scope: global server configuration
Type: security
Description: How to hide the apache software version to remote requests.
Useful: to not disclose un-needed information. As shown in “Discover the web server software and version of a remote server” anyone can find our valuable information from our apache server banner... What version are we running? is it vulnerable? what modules, that also might have vulnerabilities, and even what operating system we are running… Too many information… This will not protect in any way from real vulnerabilities if they exist, but it will at least make their life harder. This will also not stop more complex fingerprinting programs to detect some information on the web server, but at least we should not make their life easier 
.
I will talk in this post about setting two apache directives: ServerTokens and ServerSignature and how they can be used. Basically to provide only a minimal amount of information we will set this in the main config to:
ServerTokens ProductOnly
ServerSignature OffThat’s it… For a more detailed describtion check out the rest of the post….
ServerTokens
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.
- globally set in main server config.
- the default is set to Full (ServerTokens Full). So if your Linux distribution has not overwritten this, then you will be presenting all the possible information to the world. For example RHEL will set this to ServerTokens OS, while Debian will not set anything leaving it to default (Full).
Possible values:
| ServerTokens Setting | Server Banner Header |
| ProductOnly | Server: Apache |
| Major | Server: Apache/2 |
| Minor | Server: Apache/2.0 |
| Minimal | Server: Apache/2.0.55 |
| OS | Server: Apache/2.0.55 (Debian) |
| Full (or not specified) default | Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b |
Starting with apache version 2.0.44, this directive also controls the information presented by the ServerSignature directive described bellow.
ServerSignature
This directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, etc.).
- this can be set also outside the global server config in virtual hosts, per directory or .htaccess.
- the default is off (ServerSignature Off), but some particular Linux distributions might enable this. For example Debian package enables ServerSignature on the default vhost.
- be careful that setting this to Off can be overwritten on vhosts or directory level. So you might want to be sure that this is not the case.
Possible values:
Off (default): suppresses the footer line
On: adds a line with the server version number and ServerName of the serving virtual host. After version 2.0.44, the details of the server version number presented are controlled by the ServerTokens directive.
EMail: includes all the information set with ON and additionally creates a “mailto:” reference to the ServerAdmin.
Note: setting the directives shown to provide minimal information will not make your server more secure. If you have vulnerable versions you should upgrade them as soon as possible. Still, there are many worms that will check this banner and if they find something they like (for example a vulnerable mod_ssl) they will launch the attack. But there are also many such worms that will not check anything and just try to exploit any server… Also there are other complex fingerprinting applications that can find out various information about your web server even with these directives set to minimum… But even in this case there are many advantages and they will not be able to get such accurate information as presented in the apache banner.
Conclusion: if you want to provide minimum information about your system set this in your main apache config:
ServerTokens ProductOnly
ServerSignature Offps. check out other future tips that will show how you can change the apache banner to present some other information (like SomeWebServer for ex. instead of Apache).
Go to:
Main page of all my Apache Tips & Tricks
Tags: apache-tips-and-tricks
24th July 2006, 10:10
See http://www.nohn.org/blog/archives/18-Removing-the-Apache-Server-Header.html about removing the Server header at all.
27th July 2006, 22:14
thanks for the tip!
3rd August 2006, 14:53
I have tried this but its not working.when i get the error-404 page i get the apache version and os information.why is it so.plz help
3rd August 2006, 15:35
love,
check if you don’t have a ServerTokens directive in your other configuration files (like the default vhosts, or main config) that might overwrite the changes you are doing… (the last one that will appear will take effect). Maybe run a search on your config files and see if there is somewhere else defined.
18th July 2007, 22:45
Worked great for me. Nice tip Marius!
6th March 2008, 19:32
Thanks!
Great tip!
13th October 2008, 14:59
I was looking for this, exactly what i needed, thanks a lot.
21st April 2009, 15:35
thanks for the usefull information
23rd February 2010, 17:14
Thanks for this post, just what i was looking for and worked like a charm.
In our case we modified on /etc/apache2/conf.d/security file
Thanks again!
12th March 2010, 08:43
[...] with Apache (apache by default will show a lot of information even about the linux distribution and installed [...]