Secure Apache – give them minimal information

Posted on August 13, 2010 by Sebastian

Before Hacker start penetrating your system they collect information about it. Our task is to show as less information as possible. To do so we need to change some default values in apaches config. By default it shows information about the OS version and the enabled modules.

To prevent this we change the values for ServerTokens, ServerSignature and the TraceEnable option. Get to your server config files and search for ServerTokens, ServerSignature and TraceEnable. For apache2 on debian lenny these settings are made in /etc/apache2/conf.d/security. You can change the ServerSignature option for each VHost additionally.

If you’re unable to find these options use

~$ fgrep ‘SEARCH TERM’ -ir

out of the apache root directory.

After locating them change their values to:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
#
TraceEnable Off

Now you need to restart the server with

~$ /etc/init.d/apache2 restart

If everything worked fine your server signature should be turned off on all error or index pages and your headers only tell the user that you use apache. The trace option allows hackers to check for XSS and XST vulnerabels. Thats now impossible, too.

This entry was posted in apache and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CAPTCHA Image
*