2009
09.15

In the default configuration of Apache, any page will contain a full signature of the server. Server signatures contain valuable information about installed software and can be read (and exploited) by worms and hackers. Therefore is it safer to turn off this behavior. This is how you do it:

Open Apache’s configuration file (httpd.conf or apache2.conf) and search for ServerSignature

ServerSignature can be set to On, Off or EMail. Set it to Off.

After that search for ServerTokens

ServerTokens can be set to:

  • Prod (Server: Apache)
  • Min (Server: Apache/1.3.0)
  • OS (Server: Apache/1.3.0 (Unix))
  • Full (Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2)

Set it to Prod, as you can see this reveals the least information.

If you use PHP on your webserver, another thing you can do is telling PHP not to show it’s version. To accomplish this, open PHP’s configuration file (php.ini), search for expose_php and set it Off.

Obvious, after making these changes, we have to reload Apache. On a Red Hat / CentOS machine we do this by invoking

service httpd reload

On a Ubuntu / Debian machine we do this by invoking

/etc/init.d/apache2 reload

3 comments so far

Add Your Comment
  1. Mischa ter Smitten

    do you have any idea how to make custom server signature ?

  2. Mischa ter Smitten

    with mod_secure you can do that