Of all the security measures that you can apply to your server setup, this is one of the easiest and often most overlooked.
If you do not have custom error pages for server errors, for example 404 errors, the default Apache behavior is to shout out the version that is being used under its own error page.
For example, the screenshot below shows an open folder with no index.html. This is just for demo purposes, but the same would come up on any other page generated by the server:
You can see the Apache version and even the OS it is built on. Why is this a security flaw? Well a potential hacker may know bugs or security holes with certain versions of Apache, especially older versions whose bugs were published and fixed. You are immediately letting them know which exploits to try and use against you.
So how do you hide it?
I am going to give the steps on an Ubuntu server. Any other distribution will be simillar but file locations may vary.
Open the Apache conf file using your favourite text editor (I am using vim):
sudo vi /etc/apache2/apache2.conf
Simply add the following line:
Exit the file and restart Apache.
Now let us check that page again:
That is better! Now we are no longer screaming out which version of Apache we are using! It was so easy to change as well.
But wait, there is more.
Open a terminal and run
curl -v ip.address -
ip.address is the IP of your server.
Look at the output.
You can see the
Server with the Apache version there! This is being sent with every response from your server. Don't worry, this can be changed to.
apache2.conf file and add:
Restart Apache and run the
curl command again:
As you can see, we are now only showing that we are using Apache, but not what version we are using.
So there you have it. A very simple fix to a very simple problem: Opening the apache conf and adding 2 lines,
ServerTokens Prod and
This is obviously not the only measure required to make your site more secure. But it is one small step in the right direction.