Hiding Apache Version From The World

Of all the security measures that you can apply to your server setup, this is one of the easiest and often most overlooked.

If you do not have custom error pages for server errors, for example 404 errors, the default Apache behavior is to shout out the version that is being used under its own error page.

For example, the screenshot below shows an open folder with no index.html. This is just for demo purposes, but the same would come up on any other page generated by the server:

Screen shot of index page of a server

You can see the Apache version and even the OS it is built on. Why is this a security flaw? Well a potential hacker may know bugs or security holes with certain versions of Apache, especially older versions whose bugs were published and fixed. You are immediately letting them know which exploits to try and use against you.

So how do you hide it?

I am going to give the steps on an Ubuntu server. Any other distribution will be simillar but file locations may vary.

Open the Apache conf file using your favourite text editor (I am using vim):

sudo vi /etc/apache2/apache2.conf

Simply add the following line:

ServerSignature Off

Exit the file and restart Apache.

Now let us check that page again:

Screen shot of server index page after the fix

That is better! Now we are no longer screaming out which version of Apache we are using! It was so easy to change as well.

But wait, there is more.

Open a terminal and run curl -v ip.address - ip.address is the IP of your server.

Look at the output.

Screenshot of the output of curl -v

You can see the Server with the Apache version there! This is being sent with every response from your server. Don't worry, this can be changed to.

Reopen the apache2.conf file and add:

ServerTokens Prod

Restart Apache and run the curl command again:

Screenshot of the output of curl -v after fix

As you can see, we are now only showing that we are using Apache, but not what version we are using.

Summary

So there you have it. A very simple fix to a very simple problem: Opening the apache conf and adding 2 lines, ServerTokens Prod and ServerSignature Off.

This is obviously not the only measure required to make your site more secure. But it is one small step in the right direction.


© 2012-2017