Skip to content
Tags

, , ,

Hide Apache’s Server header

by Ofir on October 29th, 2009

It’s a good practice to hide the webserver’s signature, so the attacker doesn’t know what software your server runs.

A default installation of Apache under Ubuntu will show the following on the HTTP Server header:

Server: Apache/2.2.12 (Ubuntu)

If you wanna personalize the Server header, you’ll need to install mod_security, like so:

sudo apt-get install libapache2-mod-security2

Then just go to the file /etc/apache2/conf.d/security and add the following lines:

ServerTokens Full
SecServerSignature "Whatever you want"

It’s important to set the ServerTokens entry to Full, otherwise mod_security won’t be able to change your Server header if it is too long.

Now you can make attackers believe you’re running Winshit by setting your header to “Microsoft-IIS/7.0″. For an example take a look at this site’s HTTP Server header.

Nice, huh?

Share or bookmark this post:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • Twitter

From → apache, linux

No comments yet

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS