All Linux HowTo's Scripting HowTo's

Masking your WebServer’s Name, Version and the OS it’s running on

Recently i wrote about the version information that WebServer’s make available to the web browser. It’s was pointed out to me (by David Fosdike, a security expert) that it would be useful to discuss masking those details for security reasons.

The recent article is here.

This article is about changing how an Apache server presents its self to web browsers.

The directive “ServerTokens” in “/etc/httpd/conf/httpd.conf is what you’ll need to change. On a Redhat/CentOS Apache installation, by default, the option is set to show only minimal information. In my testing, the Apache server running on CentOS had the directive set to “ServerTokens OS” and showed “Server: Apache/2.2.15 (CentOS)”. However, changing it to “ServerTokens Prod” reduced it to “Server: Apache”. More interestingly, if that option is not set at all, Apache will show a lot of details.

Having set the “ServerTokens” option to “ServerTokens Prod”, we get the following – notice my commands are in bold and there is a double-return/enter after the “HEAD” command:

andrews-air:~ agix$ telnet www.agix.com.au 80
Trying 1.2.3.4...
Connected to www.agix.com.au.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 16 Aug 2015 1:2:3 GMT
Server: Apache
Last-Modified: Mon, 30 Jun 1,2,3,4,5 GMT
ETag: "24296-4cd-f239847239843"
Accept-Ranges: bytes
Content-Length: 1229
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.