Friday, May 11, 2007

How (and why) to disable apache server signature on your web pages

In the default configuration of Apache, any error pages will contain the full signature of the server (version number) which could be exploited by hackers. Each version has some deficiencies that could be exploited, and a hacker who knows your version number may benefit from it by focused attacks.

To disable server signature, you will need to edit your /etc/apache2/apache2.conf file.

sudo nano /etc/apache2/apache2.conf

Press Ctrl+w to search for "ServerSignature" and press return. If you find it, edit it to:

ServerSignature Off
ServerTokens Prod
If you don't find it, just scroll to the end of the file and add these two lines.

Then, we need to reload apache configuration to put this new change in effect:

sudo /etc/init.d/apache2 reload

Check the new configuration by entering an invalid address on your server URL (e.g. www.server.com/invalidpage.html). You should not see the server signature now, just the server name.

16 comments:

Unknown said...

Doesn't work for 403 Forbidden

Anonymous said...

Thanks for this tip, I used this on my web server!

Unknown said...

Works fine here for the 403 Forbidden

Anonymous said...

Thanks!

Anonymous said...

Works great for me, thanks.

Anonymous said...

Thanks your site helped me too

http://codeme.gotdns.com

Anonymous said...

That seems to get them out of the page body, but the signature still exists in the response headers - is there a flag to remove that?

Anonymous said...

Doesn't work for 403 for me either (Ubuntu 12.04/Apache 2.2.22). Welp...

Anonymous said...

Oh wait, my fault. apache.conf includes conf.d/security file at the end. It's enabled in there, so change it there if you must.

Anonymous said...

Using port scan still revealed the apache version!

Anonymous said...

Worked fine :) Thank you.

Tesera said...

Works for me. Thanks. (Ubuntu Server 12.04/Apache 2.2.22 (You will need to edit your /etc/apache2/conf.d/security file.))

Free Likes said...

Thank you for this post. I too want to block server signature check.

Anonymous said...

to remove completly the signature: http://docs.homelinux.org/apache:remove_server_header_field

aaaooo said...

thanks bro, im looking for this. its work fine

Emir Ercan Ayar said...

Also I strongly recommend remove x-powered-by header by change "expose_php = off" in php.ini