A great article 🙂 http://www.tecmint.com/apache-security-tips/

1. How to hide Apache Version and OS Identity from Errors

When you install Apache with source or any other package installers like yum, it displays the version of your Apache web server installed on your server with the Operating system name of your server in Errors. It also shows the information about Apache modules installed in your server.

Show-Apache-Version-620x396

In above picture, you can see that Apache is showing its version with the OS installed in your server. This can be a major security threat to your web server as well as your Linux box too. To prevent Apache to not to display these information to the world, we need to make some changes in Apache main configuration file.

Open configuration file with vim editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request, It suppress the OS, major and minor version info.

# tested with: Linux dwaves.de 3.2.0-4-686-pae #1 SMP Debian 3.2.68-1+deb7u1 i686 GNU/Linux
# greyed stuff: not tested
# find your apache2.conf (in cased they moved it again "OOOPS I MOVED IT AGAIN... "
locate apache2.conf
# if locate is not up to date/not in use
find / -name apache2.conf

# everything below /etc is the global config and should be the one you want ;)
vim /etc/apache2/apache2.conf (Debian/Ubuntu)
# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
# add those two lines at the end of the file
ServerSignature Off
ServerTokens Prod
# restart apache2
service apache2 restart (Debian/Ubuntu)
service httpd restart (RHEL/CentOS/Fedora)

Hide-Apache-Version-620x413

2. Disable Directory Listing

By default Apache list all the content of Document root directory in the absence of index file. Please see the image below.

Apache-Directory-Listing-620x410

We can turn off directory listing by using Options directive in configuration file for a specific directory. For that we need to make an entry in httpd.conf or apache2.conf file.

<Directory /var/www/html>
    Options -Indexes
</Directory>

Hide-Apache-Directory-Listing-620x416

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin