[TUTORIAL] Hide Apache Server header without recompiling

Tutorials and How-Tos
User avatar
Site Admin
Site Admin
Posts: 284
Joined: Wed Sep 14, 2005 12:00 am

[TUTORIAL] Hide Apache Server header without recompiling

Postby p455w0rd » Thu Nov 29, 2012 5:40 pm

Ok, so I haven't messed much with apache modules, but I've done my fair share of security research and lately (though atm I'm vulnerable) I've been preparing to lock down my server. One thing that always bugged the shit out of me was the damn Apache Server header which exposes that you're using apache. Within the default install of Apache you can disable all traces of Apache up to the "Server" header. No matter what on a default install of apache the end user can, for instance (in Google Chrome) hit F12, go to the network tab, hit refresh and click the first link and view the headers, which tells the end user that you are running Apache...even if no version is visible, it doesn't matter as Apache is only in v2...so the would be attacker can begin their attack based on the knowledge of your server software.

The solution? mod_secuirty2
Now, I've done the searching and it's actually kind of difficult to find the bare, already compiled file mod_security2.so, and who knows what else the end-user threw in there. All tutorials I've found tell you to compile, which is actually the way to go, but I'm sick of broken dependencies, etc so if I can, I try not to compile from source, but instead download the outdated binary in the repositories. Hey, so long as it does the job, right?

So, to install mod_security2 on Ubuntu, open terminal and run the command:

Code: Select all

sudo apt-get install libapache-mod-security

Now go to your apache2 "mods_enabled" directory (usually /etc/apache2/mods-enabled), create a blank file, and name it security2.load and copy/paste the code:

Code: Select all

LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

Next create another empty file, name it security2.conf, and copy/paste the code:

Code: Select all

SecServerSignature "Microsoft-IIS/5.0"

Replace "Microsoft-IIS/5.0" with whatever you want, save and restart apache

Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 1 guest