Like the needy stranger who tells us his or her entire life story on the occassion of our first meeting, Apache spews out way too much information in every HTTP header. And like the unscrupulous sharpies who take advantage of lonely folks they meet on buses, there are those who would use this information to attack your system!
The default with Apache 1 and 2 is to send out information about the Server, Version, OS, and all modules compiled in. On a Red Hat system with the Apache 1.3.x RPM installed, it looks like this:
[usr-3@felix n]$ curl -s -I http://blahblah.com HTTP/1.1 200 OK Date: Fri, 11 Jul 2003 23:26:51 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 Last-Modified: Thu, 10 Jul 2003 14:53:52 GMT ETag: "8019e-d2af-3f0d7e00" Accept-Ranges: bytes Content-Length: 53935 Connection: close Content-Type: text/html
We couldn’t make it much easier to fingerprint our system, and to simplify automated attacks which scan for vulnerable versions of Apache or its modules. Luckily, the solution is just one simple directive away! Simply add the ServerTokens directive to your httpd.conf file, in the global configuration section. This directive, like ServerType, *only* applies globally. It cannot be applied to individual virtual hosts. There are a range of options for this directive which range from the chatty verbosity seen above (“Full”) to a simple one-word response, which we prefer and have implemented by adding the following line to our httpd.conf:
Which makes our headers look like this:
[usr-3@felix n]$ curl -s -I http://blahblah.com HTTP/1.1 200 OK Date: Fri, 11 Jul 2003 23:43:51 GMT Server: Apache Last-Modified: Thu, 10 Jul 2003 14:53:52 GMT ETag: "8019e-d2af-3f0d7e00" Accept-Ranges: bytes Content-Length: 53935 Connection: close Content-Type: text/html
Just one less piece of easy prey for the sharks.