Friday, July 3, 2015

Improve Apache Web Server Security

Improve Apache Web Server Security: Use ServerTokens and ServerSignature to Disable Header
When Apache HTTPD web server generates any web pages or error pages, some important information about the version and other details implemented on the system are displayed in the web site server header.

IE: Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80

Fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.

To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue,

modify these two directives

  • ServerTokes
  • ServerSignature

In httpd.conf configuration file.

Login as root user or perform a sudo to the web server.

Open and edit httpd.conf or apache2.conf (in Apache 2) with vi or other text editor. The Apache configuration normally located in /etc/httpd/conf/ or /etc/apache2/ or /etc/apache/ (for Apache1.3) depending on which Unix you’re using.

Locate the line with ServerTokens. You can perform a search by typing “/ServerTokes” and hit Enter.

In Apache 1.3, you will likely to see a line starts with #ServerTokes Full In this case, remove or delete the # character (by pressing d key).

Also modify the Full to become Prod (press r key to replace one character, or R to replace multiple characters), so that the line becomes ServerTokens Prod. 

In Apache 2.0 or 2.2, the line normally does not exist. So the search will fail. In this case, go to the bottom of config file, and add the new line with the following text. You can add new line by pressing o key.

ServerTokens Prod

Next, search for ServerSignature. In Apache13, the line should just above the line of ServerTokens. Edit the line so that it looks like this, and in Apache2 which doesn’t already have this line, add in at new one.

ServerSignature Off

By now the Apache configuration file should have this two directives set as below:

ServerSignature Off ServerTokens Prod


The first line “ServerSignature Off” instructs Apache not to display a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, and etc) which displays server version number, ServerName of the serving virtual host, email setting, and creates a “mailto:” reference to the ServerAdmin of the referenced document.

The second line “ServerTokens Prod” configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.

Save and close the config file by pressing Shift-Colon, and then type “wq” keys, and hit Enter.
Restart Apache. Typical command is 

service httpd restart or /etc/init.d/apache2 restart.

Now, you will get only the Apache in the server response header:

Server: Apache


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


2 comments:

  1. Security reviews are generally done by specialists who apply the most recent strategies. Now and again, passage level insurance and hostile to infection overhauls shape a key a portion of security reviews. SSL and also other essential security authentications are likewise incorporated into review of security.server security

    ReplyDelete
  2. Thanks for sharing this Information, Got to learn new things from your Blog on SAP SF.SAP SF

    ReplyDelete

GitHub repository using Git Bash command

  To add a project to a GitHub repository using Git Bash command line, you can follow these steps: Create a new repository on GitHub by logg...