How To disable Server Signature on Apache and Nginx HTTP-Server
There are numerous ways websites can be exposed to security threats. Information in the server signature is an increased risk for systems and can be used against them.
The server signature provides important information about the server with the extensions and the operating system. For an Apache server on Debian GNU/Linux, the Apache version number and operating system information is displayed in the HTTP server header signature.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ wget --server-response --spider http://www.foo.com/index.php Spider mode enabled. Check if remote file exists. --2020-12-12 14:41:06-- http://www.foo.com/index.php Resolving www.foo.com (www.foo.com)... 192.168.123.45 Connecting to www.foo.com (www.foo.com)|192.168.123.45|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Date: Sat, 12 Dec 2020 13:41:06 GMT Server: Apache/2.4.35 (Debian) PHP/7.3.5~deb10u2 OpenSSL/1.1.1i Location: https://www.foo.com/index.php Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Location: https://www.foo.com/index.php [following] Spider mode enabled. Check if remote file exists. |
This information displayed in the HTTP server header at line 10 and provides information about the web server version number and the PHP version, the OpenSSL version for Transport Layer Security and the operating system.
Signatures can contain sensitive information about the software versions running on the web server. If a page is not found on the server, the server sends the client an error page and the page appears in the browser, Not Found.
A dead link is returned to the browser with the HTTP status code 404, and further information about the web server and version used are also disclosed.
It is recommended that the server signature be deactivated if the system is to be protected from open threats. This tutorial shows how to disable the server signature.
Disable Apache HTTP-Serversignatur on Debian GNU/Linux
Under Debian 10 (Buster) the server signature is configured in the file security.conf.
|
1 2 |
$ vi /etc/apache2/conf-available/security.conf |
The default setting on Debian 10 (Buster) also on Ubuntu for ServerSignature is On and ServerTokens is Full. These can be deactivated as follows.
|
1 2 3 |
ServerTokens Prod ServerSignature Off |
Apply change the Apache web server configuration.
|
1 2 |
$ systemctl restart apache2.service |
Disable Apache HTTP Serversignatur on CentOS GNU/Linux
On CentOS (RedHat) the server signature is changed in the Apache configuration file httpd.conf.
|
1 2 3 4 5 6 |
$ vi /etc/httpd/conf/httpd.conf ... ServerTokens Prod ServerSignature Off ... |
Apply changes of the HTTP server signature for CentOS.
|
1 2 |
$ systemctl restart httpd.service |
After disable the server signature, it is no longer displayed in the HTTP server header output. The modification can be checked using wget or here.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ wget --server-response --spider http://www.foo.com/index.php Spider mode enabled. Check if remote file exists. --2020-12-12 15:15:33-- http://www.foo.com/index.php Resolving www.foo.com (www.foo.com)... 192.168.123.45 Connecting to www.foo.com (www.foo.com)|192.168.123.45|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Date: Sat, 12 Dec 2020 14:15:33 GMT Server: Apache Location: https://www.foo.com/index.php Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Location: https://www.foo.com/index.php [following] Spider mode enabled. Check if remote file exists. |
The deactivation of the server signature can also be achieved with .htaccess, this is created in the Docroot if it does not already exist.
|
1 2 |
$ echo -e "ServerTokens Prod\nServerSignature Off" >> .htaccess |
Disable PHP-Version HTTP Server Header
The output of the PHP version number is deactivated in Debian 10 (Buster) as follows in the file php.ini.
|
1 2 3 4 5 |
$ vi /etc/php/7.3/apache2/php.ini ... expose_php = Off ... |
On CentOS (RedHat) the PHP version header is done in php.ini under the following path.
|
1 2 3 4 5 |
$ vi /etc/php.ini ... expose_php = Off ... |
Apache HTTP-Response-Header
The Apache ServerTokens directive has the following possible values that are sent to clients when the specific value is set.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
ServerTokens Prod[uctOnly] Der Server send (i.e.): Server: Apache ServerTokens Major Der Server send (i.e.): Server: Apache/2 ServerTokens Minor Der Server send (i.e.): Server: Apache/2.0 ServerTokens Min[imal] Der Server send (i.e.): Server: Apache/2.0.41 ServerTokens OS Der Server send (i.e.): Server: Apache/2.0.41 (Unix) ServerTokens Full Der Server send (i.e.): Apache/2.4.37 (Debian) PHP/7.3.5~deb10u2 OpenSSL/1.1.1d . |
This setting applies to the entire server and cannot be enabled or disabled on a virtual host basis.
Nginx HTTP Server_tokens OFF
The file nginx.conf must be modify for Nginx web server.
|
1 2 3 4 5 6 7 |
$ vi /etc/nginx/nginx.conf http { ... server_tokens off; ... |
Apply changes to disable the Nginx server signature.
|
1 2 |
$ systemctl restart nginx.service |
