Lighty Tips & Tricks: Hide lighttpd software version

Description: This will show how to hide the lighttpd version to remote requests.

Useful: there is really no need to disclose this information to everyone. As shown in “Discover the web server software and version of a remote server” anyone can find valuable information from our web server banner. Hiding it  will not protect in any way from real vulnerabilities if they exist, but it will at least make their life harder. This will also not stop more complex fingerprinting programs to detect some information on the web server, but at least we should not make their life easier ;) .

Compared with Apache (apache by default will show a lot of information even about the linux distribution and installed apache modules), lighttpd will only show its server version in the header. This is good enough, but still we probably want to hide that information anyway. For this, we will use the global lighttpd variable server.tag that defines the string returned by the server. The default (if not defined) is:

server.tag = "lighttpd <current-version>"

and this will look in a regular header output like:

...
Server: lighttpd/1.4.19
...

To overwrite this, we just have to define our own output for the server.tag variable in lighttpd.conf. Usually I like to define it like this:

server.tag = "lighttpd"

leaving the lighty name, but taking out the version; you can of course enter anything you like (even to forge an apache or iis server output, etc.)

server.tag = "Apache/1.3.29 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.16 OpenSSL/0.9.7g"

Conclusion: if you want to provide minimum information about your system then customize your lighty server.tag:

server.tag = "lighttpd"

Go to:
Main page of all my Lighty Tips & Tricks

comments powered by Disqus