A quick question. Do you need to know what Web Server I am running? Your answer is yes? I know, your answer is "I don't really care." Yes, I know you don't care, but I am sending you this information anyway with each web request.
Actually I use Apache and I said it many times on this blog. Giving up this information shouldn't be a big deal, but I do have the option to keep it private. If for some reason there is a bug in Apache Web Server, people can run bots to identify what server I am running and target me. Changing my web server name is only a small step to thwart a big chunk of bots that rely on this information to start their attack.
Modifying Apache Web Server Signature
HTTP/1.1 200 OK
Date: Thu, 09 Mar 2017 07:39:50 GMT
Server: Apache/2.4.7 (Ubuntu) <---- My web server
X-Powered-By: PHP/5.5.9-1ubuntu4.21
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 11343
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
In the Server tag you can see the server name and the OS I am running. Which I would rather keep private. Searching on the web for this information has yielded up a lot of inaccurate information. However, the simple and easy way to do it requires 2 simple steps.
libapache2-mod-security2 Module
Install this security module:
sudo apt-get install libapache2-mod-security2
ModSecurity is a toolkit to enable real-time web application monitoring and it also allows you to change the server signature. As far as I can tell, this is the only way to do so.
Once the module is installed, you can modify the Apache config under the file /etc/apache2/apache2.conf
. Add this line around the end of the file.
<IfModule mod_security2.c>
SecServerSignature "Supa Serva"
</IfModule>
Restart the server and your request will change to this:
HTTP/1.1 200 OK
Date: Thu, 09 Mar 2017 07:49:50 GMT
Server: Supa Serva <---- My web server
X-Powered-By: PHP/5.5.9-1ubuntu4.21
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: Keep-Alive
Hiding the PHP signature
If you notice on the request, the PHP signature is also being sent. This can easily be hidden without installing anything. Open the file /etc/php/{version}/apache2/php.ini
and search for expose_php
. Set this property to off.
expose_php = Off
Restart/Reload the web server and the X-Powered-By
header will no longer be available.
Comments
There are no comments added yet.
Let's hear your thoughts