Oct 30, 2012

Hide Your Apache Version in Ubuntu

I was making changes to an Apache web server I have in my environment that is running on Ubuntu Linux. That web server also has phpMyAdmin running on it as well and I wanted to restrict access to it by IP. Once I did that I tested it by trying to browse to it and I got the following forbidden error:

So what's the problem with that? Well it tells a potential attacker that you are not only running Apache version 2.2.17, but you are also running it on Ubuntu. Now an attacker can do a little research on vulnerabilities for your specific version, and know just what to do to break in. Let's not show them this information shall we.

To hide the version information open /etc/apache2/conf.d/security with your favorite text editor and change 

ServerTokens OS
ServerTokens Prod 
ServerSignature On
ServerSignature Off

Save the file and restart Apache by running sudo service apache2 restart. Now your error message will look like this:

Much better isn't it?

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam