13

I have added these 2 lines in my etc/apache2.conf file, and it hid the OS and apache version.

ServerSignature Off
ServerTokens Prod

But after all I can see the header with server name

Server  Apache

How to hide this information as well ? I am using Debian 7, apache v 2.2

Thanks

dav
  • 8,931
  • 15
  • 76
  • 140

3 Answers3

27

Apache on its own cannot completely unset the Server header (not even with mod_headers).

This appears to be by design, as discussed by the Apache devs.

There is a way to do this using ModSecurity, but I know little about that. Instead, these people have it all figured out already:

https://unix.stackexchange.com/questions/124137/change-apache-httpd-server-http-header

I can verify that this works, just tried on Debian 7.6.

edit: install mod security for apache and then add this in your apache2.conf.

<IfModule security2_module>
    SecRuleEngine on
    ServerTokens Full
    SecServerSignature " "
</IfModule>

After this restarting the apache, Server header will disappear

dav
  • 8,931
  • 15
  • 76
  • 140
Ramón
  • 541
  • 4
  • 5
  • 1
    thanks man, that worked !!, i justed edited your answer and included that code snippet. – dav Oct 10 '14 at 14:53
  • After searching for several hours, this is the one solution that seemed to work. Thanks! – ET Come Back Oct 31 '18 at 18:42
  • 1
    By setting `ServerTokens Min` I was also able to remove the loaded modules (e.g. `mod_fastcgi`) from the header response that appeared after the blank server name. – SharpC Jan 26 '21 at 15:07
  • @SharpC thanks for your answer. I solved my mod_fastcgi problem with Min option. – Kadir Y. Jun 03 '22 at 08:54
  • Doesn't seem to work on `https` if `ServerTokens` set to `prod`, but it works fine on `http`. With `Full` or `Min` it works on both `http` and `https`...go figure – vanowm Aug 24 '22 at 01:50
6

To confuse the hacker and guess what Linux OS or what version of Apache he is using. You can change the Apache server name to whatever you want.

For ubuntu 20.04:

Apache default configuration:

$ sudo apt install apache2 -y

$ curl -I localhost

HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 01:31:44 GMT
Server: Apache/2.4.41 (Ubuntu)

Change the Apache server name to whatever you want:

$ sudo apt install libapache2-mod-security2

$ sudo a2enmod security2

$ sudo vim /etc/apache2/conf-available/security.conf

ServerTokens Full

ServerSignature Off

SecServerSignature Microsoft-IIS/10.0

$ sudo systemctl restart apache2

$ curl -I localhost

HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 01:54:00 GMT
Server: Microsoft-IIS/10.0

If the SecServerSignature option is set to SecServerSignature " " This completely hides the apache server name.

$ curl -I localhost

HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 02:39:50 GMT
Server:
bl3ssedc0de
  • 780
  • 1
  • 11
  • 15
1

It's equivalent of adding:

SecServerSignature " "

To the file: /etc/apache2/mods-available/security2.conf

George G
  • 7,443
  • 12
  • 45
  • 59
  • 1
    You lacked to state that the `libapache2-mod-security2` package is needed, your solution prior to installing it left me with a broken Apache instance. But the answer by 'blessed' helped! Thanks anyway. – MS Berends Nov 16 '20 at 19:24
  • 1
    @MSBerends I see, thanks for the comment and stating that. – George G Nov 18 '20 at 17:17