FORUM NEWS

Apache is without doubt one of the hottest internet servers, however its default configuration comprises questionable choices on many Linux distributions. Apache tends to promote its particular model and the platform it runs on, data that might be beneficial to attackers.

This fast article will present you the way to disable this output to assist defend your server. There’s often no purpose for it to be energetic and turning it off ought to solely take a minute.

What’s the downside?

Here’s a contemporary set up of Apache 2.4 displaying a listing index:

The footer of the web page reveals the Apache model code, the working system title, and the inner IP tackle and port variety of your server.

These are probably delicate particulars. A zero-day vulnerability in Apache might have an effect on solely a small number of variations. By leaving this output on, you present the world in case your machine is at risk. This makes it a lot simpler for attackers to establish your host as a possible goal.

Apache refers to this knowledge as its “server signature”. Not restricted to listing index pages: the model code is included in every HTTP response throughout the Server header:

It is going to be current whatever the response standing code. Attackers can discover your exact model of Apache just by sending a request to your server, no matter whether or not they know a sound URL.

Disable server signing

There are two elements to disabling this undesirable output. first is the ServerSignature worth in your Apache configuration file. The situation of this file varies; /and many others/apache2/apache2.conf Y /usr/native/apache2/conf/httpd.conf are two frequent prospects. the ServerSignature the directive can also be supported inside .htaccess recordsdata in your internet root.

Set the directive to Off To disable the signature that seems on server-generated internet pages:

ServerSignature Off

Restart Apache to use the change:

$ sudo service apache2 restart

This impacts listing listings, default Apache error pages, and different HTML output produced by the server. Off fully removes the signature line. The configuration optionally helps a 3rd worth, EMailwhich gives a hyperlink to ship an electronic mail to the tackle outlined by ServerAdmin:

ServerAdmin [email protected]
ServerSignature EMail

This replaces the Apache model data with the hyperlink within the electronic mail.

Server token administration

the content material of the Server the response header is managed by a distinct setting, ServerTokens. This could solely be set through your server’s international configuration file. not supported indoors .htaccess information

Default is Full which presents the exact model string and title of the working system seen within the instance above. This could additionally embody the model numbers of loaded modules and CGI content material engines like PHP.

The next alternate values ​​are supported:

• Full – Apache/2.4.2 (Ubuntu)
• Prod – Apache
• Main – Apache/2
• Minor – Apache/2.4
• Min – Apache/2.4.2
• OS – Like Full however no details about loaded modules

the Prod selection is the most secure worth. You possibly can consider it as Manufacturingthough it’s really the abbreviation of ProductOnly. This server token means the Server The header will solely reveal that you’re utilizing Apache, with none extra launch data. Attackers should carry out extra trial and error investigations to seek out exploitable vulnerabilities in your set up.

Sadly, there is no such thing as a method to take away the Server header altogether. Apache really maintains that disabling it “does nothing in any respect to make your server safer” and suggests utilizing Min to facilitate the debugging of interoperational issues.

Nevertheless, most individuals by no means devour the Server header and it’s at all times safer to promote as little details about your system as attainable. Whereas it won’t forestall the exploitation of vulnerabilities, ServerTokens Prod might deter attackers from making speculative makes an attempt. It would additionally make it more durable for bystanders to get particulars of the internal workings of your tech stack. It is just a bit tightening up however in the future it might be the distinction you want.

What about PHP?

Apache is commonly used in opposition to PHP-powered web sites and functions. Sadly, PHP has its personal behavior of offering its model quantity to the Web. will seem within the X-Powered-By header of responses despatched by your PHP code.

You possibly can disable this by modifying your PHP configuration file with the next line:

expose_php = Off

The configuration file can often be discovered at /and many others/php/8.1/apache2/php.ini. Exchange 8.1 with the model of PHP you might be utilizing. You have to to restart your internet server to use the change.

Abstract

Apache’s default configuration exposes the exact model variety of your server, in addition to its working system and IP tackle. This seemingly innocuous data may also help attackers searching for weak servers.

Disabling server signing is a fast method to harden your atmosphere. It is also a good suggestion to deal with the publicity of comparable data from different software program in your stack on the identical time. PHP and a few internet frameworks include related vulnerabilities.