Disable Server Tokens and Server Signature For Apache

In this post I will be showing you how to quickly disable the server signature and server tokens for your Apache web server. For those who don’t know what these are its a line at the bottom of your error pages stating what your OS is, what version of Apache you are running, as-well as the same information in your headers. You can see an example of this in the screenshot below or by running the following the following command.

lynx -head -mime_header http://127.0.0.1

Disable Server Tokens and Server Signature For Apache

Automatically Disable ServerTokens And ServerSignature

The reason we want to disable these is because we want to try to make information gathering as difficult as possible, or at-least not super easy. One quick way is to disable ServerSignatures and ServerTokens. Below is a quick script that I wrote to automatically make the changes for you, this is assuming you are running on an Ubuntu server. If you are running on a different distribution such as CentOS or Red Hat, you will need to replace the configuration file location /etc/apache2/apache2.conf with /etc/httpd/conf/httpd.conf.

#!/bin/bash

# Set Apache Configuration File Location
configfile='/etc/apache2/apache2.conf';

# Check for Server Signature
if ! (grep -q "ServerSignature" $configfile); then
  # If no entry at all exists then just append it to the end
  echo "ServerSignature Off" >> $configfile && echo "Disabled Apache server signature." || echo "Failed to disable server signature.";
else
  # Attempt to change value from On to Off
  sed -i "s/ServerSignature/ServerSignature Off # Original Value: /" $configfile && echo "Disabled Apache server signature." || echo "Failed to disable server signature, value: $(grep ServerSignature $configfile)";
fi;

# Check for Server Tokens
if ! (grep -q "ServerTokens" $configfile); then
  echo "ServerTokens Prod" >> $configfile && echo "Disabled Apache server tokens." || echo "Failed to disable server tokens.";
else
  sed -i "s/ServerTokens/ServerTokens Prod # Original Value: /" $configfile && echo "Disabled Apache server tokens" || echo "Failed to disable server tokens, value: $(grep ServerTokens $configfile)";
fi;

# Restart Apache Service
service apache2 restart && echo "Restarted Apache service." || echo "Failed to restart Apache service.";

Manually Disable ServerTokens And ServerSignature

Alternatively you can do this manually by opening up the corresponding configuration file for your distribution with your favorite text editor.

Debian/Ubuntu based – /etc/apache2/apache2.conf
CentOS/Red Hat based – /etc/httpd/conf/httpd.conf

Then either change the following values or simply add them to the bottom of the configuration file, note that even if they are turned on elsewhere in the config, if you just put these in the bottom it will override the earlier settings and turn them off.

ServerTokens Prod
ServerSignature Off

If you chose to do this manually then you will need to restart your Apache service, you can do so with one of the following commands based on which distribution you are running.

sudo service apache2 restart # Debian / Ubuntu
sudo service httpd restart # CentOS / Red Hat

Afterwards, you can verify one more time with Lynx just to make sure that your changes actually took.

I hope this guide has helped you, please don’t forget to like, comment, and share for more guides. Thank you!

Leave a Reply

Protected with IP Blacklist CloudIP Blacklist Cloud