Change how Apache2 identifies itself with ServerTokens
Last Updated: 2006-09-27
Change how Apache2 identifies itself with ServerTokens
The ServerTokens should be changed to make it a little harder for an attacker to break into your web server. By changing the ServerTokens directive, you can control how the Apache2 web server identifies itself. Usually it gives away all sorts of information which might make it easier or quicker for an intruder to break into your server.
Here is how my Apache2 web server used to identify itself:
Server: Apache/2.0.54 (Linux/SUSE) PHP/5.0.4
The problem with this is, if a remote exploit to either Apache 2.0.54 or PHP 5.0.4 is found a possible attacker will be able to identify me as a target system right away.
To test it yourself, open a console window.
Command:
|
After HEAD / HTTP/1.0, press enter twice and examine the output.
My output before modification:
Command:
|
And after the modification:
Command:
|
As you can see, only PHP needs to be changed now, check Virtual Brain Online to find out how.
So, to control Apache2's behavior of version announcements, open your main server configuration file and add or modify the following.
File:
|
ServerTokens are not allowed inside VirtualHost configuration options.
Originally Posted by Skylinux @ 2005-11-26 18:58:13
No Comments yet .....
Add Your Comment:
Note: All posts require administrator approval. Please allow 24 hours for message approval.