Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By
Table of Contents
By default almost all Apache installation shows sensitive server information with Apache version number, server operating system details, installed Apache modules, PHP-version and so on. Attackers can use this information when performing attacks.
Some examples howto check server information that Apache sends⌗
Error page⌗
Use lynx⌗
$ lynx -head -mime_header http://www.ubuntu.com
HTTP/1.0 200 OK
Date: Fri, 20 Nov 2009 09:25:46 GMT
Server: Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.4-2ubuntu5.7
Content-Type: text/html; charset=utf-8
Age: 13
Content-Length: 0
X-Cache: HIT from avocado.canonical.com
X-Cache-Lookup: HIT from avocado.canonical.com:80
Via: 1.0 avocado.canonical.com:80 (squid/2.6.STABLE18)
Connection: close
$
Use Mozilla Firebug plugin⌗
As you can see this is a very sensitive information if dont have installed latest security updates.
Hiding and modifying Apache server information⌗
Fortunately, such data can easily hide and modify by changing the ServerSignature and ServerTokens directives.
ServerSignature⌗
ServerSignature configures the footer on server-generated documents. Just like example 404 error page. Normal use it’s better hide whole signature and add or modify httpd.conf file or apache.conf file following row:
ServerSignature Off
If you some reason want show ServerSignature then use:
ServerSignature On
Or if you want show mailto link (example admin mail) then use:
ServerSignature Email
ServerTokens⌗
Configures the Server HTTP response header. Different ServerTokens directive options are following (add or modify httpd.conf file or apache.conf):
Prod or ProductOnly – Server sends (e.g.): Server: Apache
ServerTokens Prod
Major – Server sends (e.g.): Server: Apache/2
ServerTokens Major
Minor – Server sends (e.g.): Server: Apache/2.2
ServerTokens Minor
Min or Minimal – Server sends (e.g.): Server: Server: Apache/2.2.4
ServerTokens Min
OS – Server sends (e.g.): Server: Apache/2.2.4 (Ubuntu)
ServerTokens OS
Full or not specified – Server sends (e.g.): Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4
ServerTokens Full
ServerTokens setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.
Hide PHP version (X-Powered-By)⌗
Hiding PHP version (X-Powered-By) is easy. Add or modify following php.ini file row like following:
expose_php = Off
Summary⌗
Safest basic setup is following:
httpd.conf or apache.conf rows:
ServerSignature Off
ServerTokens Prod
php.ini row:
expose_php = Off
After all changes remember reload server and check results. The results should look like this:
Before:
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 12:20:30 GMT
Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4
X-Powered-By: PHP/5.2.3-1ubuntu6.4
Connection: close
Content-Type: text/html; charset=UTF-8
After:
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 13:06:21 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=UTF-8