In this post I will be showing you how to quickly disable the server signature and server tokens for your Apache web server. For those who don’t know what these are its a line at the bottom of your error pages stating what your OS is, what version of Apache you are running, as-well as the same information in your headers. You can see an example of this in the screenshot below or by running the following the following command.
lynx -head -mime_header http://127.0.0.1
Automatically Disable ServerTokens And ServerSignature
The reason we want to disable these is because we want to try to make information gathering as difficult as possible, or at-least not super easy. One quick way is to disable ServerSignatures and ServerTokens. Below is a quick script that I wrote to automatically make the changes for you, this is assuming you are running on an Ubuntu server. If you are running on a different distribution such as CentOS or Red Hat, you will need to replace the configuration file location /etc/apache2/apache2.conf with /etc/httpd/conf/httpd.conf.
#!/bin/bash # Set Apache Configuration File Location configfile='/etc/apache2/apache2.conf'; # Check for Server Signature if ! (grep -q "ServerSignature" $configfile); then # If no entry at all exists then just append it to the end echo "ServerSignature Off" >> $configfile && echo "Disabled Apache server signature." || echo "Failed to disable server signature."; else # Attempt to change value from On to Off sed -i "s/ServerSignature/ServerSignature Off # Original Value: /" $configfile && echo "Disabled Apache server signature." || echo "Failed to disable server signature, value: $(grep ServerSignature $configfile)"; fi; # Check for Server Tokens if ! (grep -q "ServerTokens" $configfile); then echo "ServerTokens Prod" >> $configfile && echo "Disabled Apache server tokens." || echo "Failed to disable server tokens."; else sed -i "s/ServerTokens/ServerTokens Prod # Original Value: /" $configfile && echo "Disabled Apache server tokens" || echo "Failed to disable server tokens, value: $(grep ServerTokens $configfile)"; fi; # Restart Apache Service service apache2 restart && echo "Restarted Apache service." || echo "Failed to restart Apache service.";
Manually Disable ServerTokens And ServerSignature
Alternatively you can do this manually by opening up the corresponding configuration file for your distribution with your favorite text editor.
Debian/Ubuntu based – /etc/apache2/apache2.conf
CentOS/Red Hat based – /etc/httpd/conf/httpd.conf
Then either change the following values or simply add them to the bottom of the configuration file, note that even if they are turned on elsewhere in the config, if you just put these in the bottom it will override the earlier settings and turn them off.
ServerTokens Prod ServerSignature Off
If you chose to do this manually then you will need to restart your Apache service, you can do so with one of the following commands based on which distribution you are running.
sudo service apache2 restart # Debian / Ubuntu sudo service httpd restart # CentOS / Red Hat
Afterwards, you can verify one more time with Lynx just to make sure that your changes actually took.
I hope this guide has helped you, please don’t forget to like, comment, and share for more guides. Thank you!