Recently i wrote about the version information that WebServer’s make available to the web browser. It’s was pointed out to me (by David Fosdike, a security expert) that it would be useful to discuss masking those details for security reasons.
The recent article is here.
This article is about changing how an Apache server presents its self to web browsers.
The directive “ServerTokens” in “/etc/httpd/conf/httpd.conf is what you’ll need to change. On a Redhat/CentOS Apache installation, by default, the option is set to show only minimal information. In my testing, the Apache server running on CentOS had the directive set to “ServerTokens OS” and showed “Server: Apache/2.2.15 (CentOS)”. However, changing it to “ServerTokens Prod” reduced it to “Server: Apache”. More interestingly, if that option is not set at all, Apache will show a lot of details.
Having set the “ServerTokens” option to “ServerTokens Prod”, we get the following – notice my commands are in bold and there is a double-return/enter after the “HEAD” command:
andrews-air:~ agix$ telnet www.agix.com.au 80 Trying 1.2.3.4... Connected to www.agix.com.au. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 16 Aug 2015 1:2:3 GMT Server: Apache Last-Modified: Mon, 30 Jun 1,2,3,4,5 GMT ETag: "24296-4cd-f239847239843" Accept-Ranges: bytes Content-Length: 1229 Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
