If you've ever visited a webserver's error page, it will usually state the error followed by information about the server. This will customarily tend to include the webserver software, its version, possibly information about some of the modules compiled in as well as the server's address and port. While this might look generous and helpful, it also allows bad guys as well as other parties to probe the server to find out what it is running as well as other details such as version information. This information can be used for nefarious purposes. An example of this tell-tale signature can be seen below:
Apache/2.x.xx (Ubuntu) Server at example.com Port 80
If you are running Apache on an Ubuntu (or Debian, I guess) server, this information can be switched off by setting a couple of configuration variables accordingly. The steps to do so are as outlined below:
- Navigate to
- Open the file named security in an editor.
- First look for a directive for
ServerTokenswhich should look something like this:
Note that lines beginning with a
#indicate that they are commented out. Similarly, comment out the line
ServerTokens OSand below it, add a new line:
Information on each setting is available in the comments above these directives.
- Further down the page, there should be a section dealing with
As you can tell, it is currently set to On with the Off option commented out. Simply toggle the comment prefix (
#) between the two lines to turn off the server signature.
- Save the file and leave the editor.
- Restart Apache with something along the lines of
apache2ctl restartand we're done!
Once the above changes have registered, the server signature should not longer be displayed. While the
ServerTokens directive might appear to be superfluous since we are turning off the display of the entire
ServerSignature line, it has an effect on the headers being sent with the document where it conceals version information.