Announcement

Collapse
No announcement yet.

Removing system and version information from apache webserver

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing system and version information from apache webserver

    Many times when we get a 404 or any other errors from apache web server we have seen that the error includes which web server it is running, which version it is and what OS the website is running on. This information will invite a lot of attention to "Some" people who would seek for open doors to attack the websites or servers.


    So we have to stop providing these information in case of errors etc. How this can be done? We can do this easily by tweaking two variables in the apache web server configuration file.

    ServerTokens and ServerSignature. From the apache documentation,

    ServerTokens: This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

    ServerSignature : The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, ...)

    This is the error we were betting before the changes:

    Not Found
    The requested URL /hh was not found on this server.
    Apache/2.2.3 (CentOS) Server at www.example.com Port 80

    Now, we will change the following parameters and restart apache web server.

    Code:
      vim /etc/httpd/conf/httpd.conf
    
        #ServerTokens OS
        ServerTokens Prod
    
        #ServerSignature On
        ServerSignature Off
    
        /etc/init.d/httpd restart
    Now we will be getting like this:
    Not Found
    The requested URL /hh was not found on this server.

    Thats it. Now try yourself. :)
    Last edited by kuldeep; 02-21-2015, 02:32 AM.
Working...
X