Virtual Brain Online Logo

Bookmark: Root \ Apache \ Change how Apache2 identifies itself with ServerTokens

Change how Apache2 identifies itself with ServerTokens


Last Updated: 2006-09-27

Change how Apache2 identifies itself with ServerTokens

The ServerTokens should be changed to make it a little harder for an attacker to break into your web server. By changing the ServerTokens directive, you can control how the Apache2 web server identifies itself. Usually it gives away all sorts of information which might make it easier or quicker for an intruder to break into your server.

Here is how my Apache2 web server used to identify itself:
Server: Apache/2.0.54 (Linux/SUSE) PHP/5.0.4
The problem with this is, if a remote exploit to either Apache 2.0.54 or PHP 5.0.4 is found a possible attacker will be able to identify me as a target system right away.

To test it yourself, open a console window.


Command:
telnet localhost 80
HEAD / HTTP/1.0

After HEAD / HTTP/1.0, press enter twice and examine the output.

My output before modification:

Command:
HTTP/1.1 200 OK
Date: Sat, 26 Nov 2005 23:50:29 GMT
Server: Apache/2.0.54 (Linux/SUSE) PHP/5.0.4
X-Powered-By: PHP/5.0.4
Connection: close
Content-Type: text/html

And after the modification:

Command:
HTTP/1.1 200 OK
Date: Sat, 26 Nov 2005 23:50:29 GMT
Server: Apache
X-Powered-By: PHP/5.0.4
Connection: close
Content-Type: text/html

As you can see, only PHP needs to be changed now, check Virtual Brain Online to find out how.


So, to control Apache2's behavior of version announcements, open your main server configuration file and add or modify the following.

File:
Filename: httpd.conf
### 'Server Tokens configuration ####
# ServerTokens control how Apache2 identifies itself.
# You can test your web server like this, type everything inside quotes.
# "telnet localhost 80"
# "HEAD / HTTP/1.0" press ENTER twice and look for Server:
# For more information visit http://www.network-technologies.org and ask
# Virtual Brain Online
#
# ServerTokens ProductOnly
# Server: Apache
# ServerTokens Minimal
# Server: Apache/2.0.54
# ServerTokens OS
# Server: Apache/2.0.54 (Linux/SUSE)
# ServerTokens Full
# Server: Apache/2.0.54 (Linux/SUSE) PHP/5.0.4
ServerTokens ProductOnly


ServerTokens are not allowed inside VirtualHost configuration options.
Originally Posted by Skylinux @ 2005-11-26 18:58:13

 

No Comments yet .....

 

Add Your Comment:

Note: All posts require administrator approval. Please allow 24 hours for message approval.

Name:
E-Mail:
Title
Plain text only, less then 65 000 characters.

Please write the numerical representation of six hundred twenty-five into the box below.

Please answer the question above and type the answer into the text box below.