Apache is one of the most popular web servers, but its default configuration includes questionable options on many Linux distributions. Apache tends to specify its specific version and the platform it is running on, information that could be valuable to attackers.
This short article will show you how to disable this issue to protect your server. There’s usually no reason for it to be active, and it should only take a minute to turn it off.
What is the problem?
Here is a fresh Apache 2.4 installation showing a directory index:
The footer of the page shows the Apache version code, the operating system name, and your server’s internal IP address and port number.
These are potentially sensitive details. A zero-day vulnerability in Apache may only affect a small selection of versions. By leaving this output on, you indicate to the world if your machine is at risk. This makes it much easier for attackers to identify your host as a potential target.
Apache refers to this data as its “server signature”. It’s not limited to the directory index pages: the version code is injected into every HTTP response within the
It is present regardless of the status code of the response. Attackers can find your exact Apache version simply by pinging a request to your server, regardless of whether they know a valid URL.
Disable server signing
There are two parts to disable this unwanted output. First is the
ServerSignature Value in your Apache configuration file. The location of this file varies;
/usr/local/apache2/conf/httpd.conf are two common options. That
ServerSignature Directive is also supported inside
.htaccess files in your web root.
Set up the directive
Off To disable the signature that appears on server-generated webpages:
Restart Apache for the change to take effect:
$ sudo service apache2 restart
This affects directory listings, Apache’s standard error pages, and other HTML output generated by the server.
Off removes the signature line completely. The setting optionally supports a third value,
ServerAdmin [email protected] ServerSignature EMail
This will replace the Apache version information with the email link.
Managing server tokens
The content of
Server Response header is controlled by another setting,
ServerTokens. This can only be set by your server’s global configuration file. It is not supported inside
The default is
Full which represents the exact version string and operating system name observed in the example above. This can also include the version numbers of loaded modules and CGI content engines like PHP.
The following alternative values are supported:
OS– Same as
Fullbut without information about loaded modules
Prod Choice is the safest value. You can imagine it like this
Productionalthough it’s actually short for
ProductOnly. This server token means the
Server Header just shows that you are using Apache, with no additional information about the version. Attackers need to do more trial and error to find exploitable vulnerabilities in your installation.
Unfortunately there is no way to remove them
Server heading at all. Actually Apache claims that disabling “doesn’t make your server any more secure at all” and suggests using it
Min to facilitate debugging of interoperation problems.
However, most people never consume them
Server headers and it is always safest to post as little information about your system as possible. The exploitation of vulnerabilities is not prevented,
ServerTokens Prod could discourage attackers from speculative attempts. It also makes it harder for passers-by to glean details about the inner workings of your tech stack. It’s just a little hardening, but one day it might be the difference you need.
What about PHP?
Apache is often used in front of websites and applications powered by PHP. Unfortunately, PHP has its own habit of leaking its version number to the internet. It appears in the
X-Powered-By Headers of responses sent from your PHP code.
You can turn this off by changing your PHP configuration file with the following line:
expose_php = Off
The configuration file can usually be found at
8.1 with the PHP version you are using. You must restart your web server for the change to take effect.
Apache’s default configuration shows the exact version number of your server, as well as its operating system and IP address. This seemingly harmless information can help attackers locate vulnerable servers.
Disabling server signature is a quick way to harden your environment. It’s also a good idea to simultaneously address the disclosure of similar information by other software in your stack. PHP and some web frameworks have similar vulnerabilities.
This article was previously published on Source link