Control Apache’s public server information

Control Apache’s public server information

By default Apache displays information about itself in the server signature (included both in the reply headers and automatically generated directory indexes). This information can give away important clues, like the exact version number of a module or Apache itself.

While obscurity never increases security since exploits can be attempted on the service regardless, knowing exact version information and running modules certainly provides a potential hacker with useful clues and eases the task.

Thankfully Apache supports the necessary configuration parameters to fine tune the publicly displayed information through its ServerTokens and ServerSignature directives in httpd.conf.

ServerTokens

This directive controls the response which server sends to include the server details, OS and other complied modules. ServerTokens can take various values:

ServerTokens Displayed Info
 Full (or not specified)  Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
mod_fcgid/2.3.9 PHP/5.4.16
 ProductOnly (or Prod)  Apache
 Major  Apache/2
 Minor  Apache/2.4
 Minimal (or Min)  Apache/2.4.6
 OS  Apache/2.4.6 (CentOS)
ServerSignature

This directive can be used to configure the publicly displayed footer on server-generated documents (e.g. error pages, directory listings).

ServerSignature Result
 Off  Nothing is displayed in the footer
 On  Display the server version number and ServerName of the virtual host
After Apache 2.0.44 the value of version number is controlled by the ServerTokens directive
 Email  As above and also include a link of the ServerAdmin email defined in configuration

These values should only be changed if you’re comfortable around configuration files. Making a mistake in the httpd.conf can result in the whole server (and all sites) becoming non-functional. Create a backup in advanced in case you ever want to revert.

PHP

PHP also has a directive that can instruct it to add an indicator of its existence (and version number) to the returned server headers.

X-Powered-By	PHP/5.4.16

Adjusting the value to Off in php.ini will remove this information

expose_php Off
Checking header information

Several tools exist in Linux to retrieve a server’s headers:

wget

# wget -S --spider http://sampledomain.com
Connecting to sampledomain.com:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Fri, 29 Sep 2017 17:33:49 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16
Accept-Ranges: bytes
Content-Length: 23
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

lynx

# lynx -head -dump http://sampledomain.com
HTTP/1.1 200 OK
Date: Fri, 29 Sep 2017 17:44:07 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Accept-Ranges: bytes
Content-Length: 23
Connection: close
Content-Type: text/html; charset=UTF-8

curl

# curl -I http://sampledomain.com
HTTP/1.1 200 OK
Date: Fri, 29 Sep 2017 17:44:57 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Accept-Ranges: bytes
Content-Length: 23
Content-Type: text/html; charset=UTF-8

Leave a Reply