2006/12/01

Hide OS and Apache version number

By default (at least on RHEL 4, CentOS 4.x, and related distros), Apache web server will give the version number of Apache, as well as your OS. This will make it easier for an attacker to guess what vulnerabilities your web server (or host OS) may have. This information can be hidden by changing these two lines in /etc/httpd/conf/httpd.conf:
ServerTokens ProductOnly
ServerSignature Off
Note that this won't actually fix any vulnerabilities, but it will make an attacker have to either guess or scan to determine what vulnerabilities you may have.

An even better idea is to front your apache with modsecurity (perhaps even on a separate (virtual) server), and have modsecurity tell everyone that your apache web server is really an IIS server.

To hide the Apache PHP version number, add/change this line in /etc/php.ini:
expose_php = Off
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)