Applies: apache 1.3.x / apache 2.0.x Required apache module: – (included in core) Scope: global server configuration Type: security
Description: How to hide the apache software version to remote requests. Useful: to not disclose un-needed information. As shown in ”Discover the web server software and version of a remote server” anyone can find our valuable information from our apache server banner... What version are we running? is it vulnerable? what modules, that also might have vulnerabilities, and even what operating system we are running… Too many information… This will not protect in any way from real vulnerabilities if they exist, but it will at least make their life harder. This will also not stop more complex fingerprinting programs to detect some information on the web server, but at least we should not make their life easier ;).
I will talk in this post about setting two apache directives: ServerTokens and ServerSignatureand how they can be used. Basically to provide only a minimal amount of information we will set this in the main config to:
That’s it… For a more detailed describtion check out the rest of the post….
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.
- globally set in main server config.
- the default is set to Full (ServerTokens Full). So if your Linux distribution has not overwritten this, then you will be presenting all the possible information to the world. For example RHEL will set this to ServerTokens OS, while Debian will not set anything leaving it to default (Full).
Server Banner Header
Server: Apache/2.0.55 (Debian)
Full (or not specified) default
Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b
Starting with apache version 2.0.44, this directive also controls the information presented by the ServerSignature directive described bellow.
This directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, etc.).
- this can be set also outside the global server config in virtual hosts, per directory or .htaccess.
- the default is off (ServerSignature Off), but some particular Linux distributions might enable this. For example Debian package enables ServerSignature on the default vhost.
- be careful that setting this to Off can be overwritten on vhosts or directory level. So you might want to be sure that this is not the case.
Possible values: Off (default): suppresses the footer line On: adds a line with the server version number and ServerName of the serving virtual host. After version 2.0.44, the details of the server version number presented are controlled by the ServerTokens directive. EMail: includes all the information set with ON and additionally creates a “mailto:” reference to the ServerAdmin.
Note: setting the directives shown to provide minimal information will not make your server more secure. If you have vulnerable versions you should upgrade them as soon as possible. Still, there are many worms that will check this banner and if they find something they like (for example a vulnerable mod_ssl) they will launch the attack. But there are also many such worms that will not check anything and just try to exploit any server… Also there are other complex fingerprinting applications that can find out various information about your web server even with these directives set to minimum… But even in this case there are many advantages and they will not be able to get such accurate information as presented in the apache banner.
Conclusion: if you want to provide minimum information about your system set this in your main apache config:
ServerTokens ProductOnly ServerSignature Off
ps. check out other future tips that will show how you can change the apache banner to present some other information (like SomeWebServer for ex. instead of Apache).