You are here

Home

Hiding Apache version information in Ubuntu

Submitted by Druss on Sat, 2012-06-02 00:03

If you've ever visited a webserver's error page, it will usually state the error followed by information about the server. This will customarily tend to include the webserver software, its version, possibly information about some of the modules compiled in as well as the server's address and port. While this might look generous and helpful, it also allows bad guys as well as other parties to probe the server to find out what it is running as well as other details such as version information. This information can be used for nefarious purposes. An example of this tell-tale signature can be seen below:
Apache/2.x.xx (Ubuntu) Server at example.com Port 80

If you are running Apache on an Ubuntu (or Debian, I guess) server, this information can be switched off by setting a couple of configuration variables accordingly. The steps to do so are as outlined below:

  1. Navigate to /etc/apache2/conf.d.
  2. Open the file named security in an editor.
  3. First look for a directive for ServerTokens which should look something like this:
    #ServerTokens Minimal
    ServerTokens OS
    #ServerTokens Full

    Note that lines beginning with a # indicate that they are commented out. Similarly, comment out the line ServerTokens OS and below it, add a new line:
    ServerTokens Prod
    Information on each setting is available in the comments above these directives.
  4. Further down the page, there should be a section dealing with ServerSignature:
    #ServerSignature Off
    ServerSignature On

    As you can tell, it is currently set to On with the Off option commented out. Simply toggle the comment prefix (#) between the two lines to turn off the server signature.
  5. Save the file and leave the editor.
  6. Restart Apache with something along the lines of apache2ctl restart and we're done!

Once the above changes have registered, the server signature should not longer be displayed. While the ServerTokens directive might appear to be superfluous since we are turning off the display of the entire ServerSignature line, it has an effect on the headers being sent with the document where it conceals version information.

Good luck!

Tags: