By default Apache displays information about itself in the server signature (included both in the reply headers and automatically generated directory indexes). This information can give away important clues, like the exact version number of a module or Apache itself.
While obscurity never increases security since exploits can be attempted on the service regardless, knowing exact version information and running modules certainly provides a potential hacker with useful clues and eases the task.
Thankfully Apache supports the necessary configuration parameters to fine tune the publicly displayed information through its ServerTokens and ServerSignature directives in httpd.conf.
ServerTokens
This directive controls the response which server sends to include the server details, OS and other complied modules. ServerTokens can take various values:
| ServerTokens | Displayed Info |
|---|---|
| Full (or not specified) | Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 |
| ProductOnly (or Prod) | Apache |
| Major | Apache/2 |
| Minor | Apache/2.4 |
| Minimal (or Min) | Apache/2.4.6 |
| OS | Apache/2.4.6 (CentOS) |
ServerSignature
This directive can be used to configure the publicly displayed footer on server-generated documents (e.g. error pages, directory listings).
| ServerSignature | Result |
|---|---|
| Off | Nothing is displayed in the footer |
| On | Display the server version number and ServerName of the virtual host After Apache 2.0.44 the value of version number is controlled by the ServerTokens directive |
| As above and also include a link of the ServerAdmin email defined in configuration |
These values should only be changed if you’re comfortable around configuration files. Making a mistake in the httpd.conf can result in the whole server (and all sites) becoming non-functional. Create a backup in advanced in case you ever want to revert.
PHP
PHP also has a directive that can instruct it to add an indicator of its existence (and version number) to the returned server headers.
X-Powered-By PHP/5.4.16
Adjusting the value to Off in php.ini will remove this information
expose_php Off
Checking header information
Several tools exist in Linux to retrieve a server’s headers:
wget
# wget -S --spider http://sampledomain.com Connecting to sampledomain.com:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Fri, 29 Sep 2017 17:33:49 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 Accept-Ranges: bytes Content-Length: 23 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
lynx
# lynx -head -dump http://sampledomain.com HTTP/1.1 200 OK Date: Fri, 29 Sep 2017 17:44:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 Accept-Ranges: bytes Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8
curl
# curl -I http://sampledomain.com HTTP/1.1 200 OK Date: Fri, 29 Sep 2017 17:44:57 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 Accept-Ranges: bytes Content-Length: 23 Content-Type: text/html; charset=UTF-8
