Changing Apache Server Signature

A quick question. Do you need to know what Web Server I am running? Your answer is yes? I know, your answer is "I don't really care." Yes, I know you don't care, but I am sending you this information anyway with each web request.

Actually I use Apache and I said it many times on this blog. Giving up this information shouldn't be a big deal, but I do have the option to keep it private. If for some reason there is a bug in Apache Web Server, people can run bots to identify what server I am running and target me. Changing my web server name is only a small step to thwart a big chunk of bots that rely on this information to start their attack.

Modifying Apache Web Server Signature

HTTP/1.1 200 OK
Date: Thu, 09 Mar 2017 07:39:50 GMT
Server: Apache/2.4.7 (Ubuntu) <---- My web server
X-Powered-By: PHP/5.5.9-1ubuntu4.21
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 11343
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

In the Server tag you can see the server name and the OS I am running. Which I would rather keep private. Searching on the web for this information has yielded up a lot of inaccurate information. However, the simple and easy way to do it requires 2 simple steps.

libapache2-mod-security2 Module

Install this security module:

sudo apt-get install libapache2-mod-security2

ModSecurity is a toolkit to enable real-time web application monitoring and it also allows you to change the server signature. As far as I can tell, this is the only way to do so.

Once the module is installed, you can modify the Apache config under the file /etc/apache2/apache2.conf. Add this line around the end of the file.

<IfModule mod_security2.c>
SecServerSignature "Supa Serva"

Restart the server and your request will change to this:

HTTP/1.1 200 OK
Date: Thu, 09 Mar 2017 07:49:50 GMT
Server: Supa Serva <---- My web server
X-Powered-By: PHP/5.5.9-1ubuntu4.21
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: Keep-Alive

Hiding the PHP signature

If you notice on the request, the PHP signature is also being sent. This can easily be hidden without installing anything. Open the file /etc/php/{version}/apache2/php.ini and search for expose_php. Set this property to off.

expose_php = Off

Restart/Reload the web server and the X-Powered-By header will no longer be available.


There are no comments added yet.

Let's hear your thoughts

For my eyes only