Masking your Apache information with ServerTokens

Posted by Phil Smith on 10 January, 2010

No comments yet

This item was filled under [ Apache ]

If you want to give away less information about your current version of Apache, then you can use the ServerTokens directive in the config file (httpd.conf). The recommended one for Production servers is ‘Prod’, which will only tell people you are running Apache. Others as you can see give more information about versions and O/S which may make it easier for attackers.

Your httpd.conf file should look something like this:

#
# Don't give away too much information about all the subcomponents
# we are running.  Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens OS

Change it to look like this

#
# Don't give away too much information about all the subcomponents
# we are running.  Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens Prod

ServerTokens

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

ServerTokens Prod[uctOnly]
Server sends (e.g.):
Server:       Apache

ServerTokens Min[imal]
Server sends (e.g.):
Server:       Apache/1.3.0

ServerTokens OS
Server sends (e.g.):
Server: Apache/1.3.0       (Unix)

ServerTokens Full (or not specified)
Server sends (e.g.):
Server: Apache/1.3.0       (Unix) PHP/3.0 MyMod/1.2

Notes

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

ServerTokens is only available in Apache 1.3 and later; the ProductOnly keyword is only available in versions later than 1.3.12

Tagged with: [ Apache, Confirg, Production ]

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

« Zend Framework 1.9.7, 1.8.5, and 1.7.9 Released

Sendmail 8.14.4 »

Blog Subscription

Subscribe via RSS Feed stay updated with blog articles

Recent Posts

Tags

.uk 2.3 Apache Apache 1.3 Apache 2.2 Apache 2.3 CCleaner ClamAV Confirg DNS DNSSEC Error logs Firebug HTTP LINX Marketgrid MySQL MySQL 5.1 MySQL 5.5 MySQL Community Server MySQL Connect MySQL Connector MySql Connector/Net MySql Connector/Net 6.3.3 MySQL Workbench NDB Cluster Net-SNMP Network Nominet OpenSSH OpenSSL PHP phpBB Production Security Sendmail Server SSH Thunderbird VirtualBox Webserver logs WinSCP Wordpress Zend Zend Framework
Archives
January 2010

M T W T F S S

« Dec Feb »

1 2 3

4 5 6 7 8 9 10

11 12 13 14 15 16 17

18 19 20 21 22 23 24

25 26 27 28 29 30 31
Categories
- Apache (9)
- DNS (5)
- Misc (2)
- MySQL (26)
- News (14)
- OpenSSH (2)
- OpenSSL (5)
- Releases (64)
- Tips (2)
- Tools (3)
- Uncategorized (1)
- Virtualbox (1)
- Wireshark (1)
- Zend/PHP (8)
Links

Cloud Testing
Website Archiving Service
Website History Service
The Browser Guru
UK Forces Discounts
Nursery Fresh Postal Flowers
Nursery Fresh Wholesale Flowers
Website-Archiving Blog
- Showing the differences in your daily archives August 27, 2010
  Our new screenshot compare tool has just been released. It allows you to view two screenshot archives and then fade them in / out using the slider making spotting differences in the pages easy. In this first view, with the slider at the top set to 25% we see more of the first captured screenshot. […]
- New SEC (Securities and Exchange Commission) Compliance website August 26, 2010
  We’ve just set-up a new website to help clients with teh difficulties of SEC (Securities and Exchange Commission) compliance – http://www.sec-compliance.net/. […]
- New feature to show when your archived pages have changed August 25, 2010
  We’ve just released another new feature that allows you to see at a glance when your archived pages have changed – see example below. For further information and features see the main Website-Archive website http://www.website-archive.com/ […]
- New re-branded archiving portal August 24, 2010
  We’re pleased to announce the new updated and re-branded archiving portal http://portal.website-archive.com/. The changes include incorporation of the Website Archive logo along with preparations for our upcoming new services which are currently in closed beta: RSS Archiving Document Archiving File Archiving You can view an on-line demo version of the servic […]
- Document and File Archiving August 23, 2010
  Our file and document archiving service is now in full beta. It allows subscribers to make daily archives of online files and documents, such as Word Doc, XLS, PDF etc. These files are stored in our secure data centres for compliance and record keeping purposes. The following websites will be used for providing more details […]
- FISMA Compliance August 20, 2010
  FISMA (Federal Information Security Management Act) is a United States federal law enacted in 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for […]
- Searching for content within your daily website archives August 19, 2010
  In addition to searching within the URL or page names, you can also search winthin your archives for particular content. The resulting search results show which of your archived pages contain the search term in the content and on which day(s): You can view an on-line demo version of the service at http://www.website-archive.com/. […]
- RSS Feed Archiving Service now in beta August 17, 2010
  I’m pleased to announce that we’ve released our new archiving service for RSS feeds to selected beta testing customers. The service will allow subscribers to the service to have RSS feeds archived for compliance and record keeping purposes. This can be either a feed of your own blog, or news events, or information from other […]
- Authenticity signatures for your archives August 16, 2010
  We’ve just released another new feature for our Website Archiving service, which allows you to easily view the authenticity signatures for your archives. We capture, calculate and store a number of signatures to ensure the integrity of the archived information. You can view an on-line demo version of the service at http://www.website-archive.com/. […]
- New navigation for Website Archiving service August 15, 2010
  We’ve just released a new and updated navigation to allow easier access to your archived website screenshots. You can now easily click on one of the Daily, Weekly or Monthly links to view all the screenshots for a particular page. You can view an on-line demo version of the service at http://www.website-archive.com/. […]
The Browser Guru
- Useful links for Cloud Testing and Archiving August 21, 2010
  Links: www.cloudtesting.com www.cloud-testing.com www.cloudtesting.co.uk www.cloudtesting.us www.cloudtesting.eu www.cloudloadtesting.com www.cloudloadtesting.co.uk www.cloudloadtest.com www.cloudloadtest.co.uk www.cloudwebtest.com www.themonitoringcloud.com www.themonitoringcloud.co.uk www.monitoringcloud.com www.loadtestingcloud.com www.cloudtesting.jp www […]
- 97% of Chrome users running the latest version August 7, 2010
  According to “Why Silent Updates Boost Security” (download PDF), 97% of Chrome users were running the latest version of the browser within 21 days of the last update’s release. By comparison, 85% of Firefox users were up-to-date in the same span, while only 53% Safari users could say the same. […]
- Firefox 3.6.8 released July 23, 2010
  Security Advisories Fixed in Firefox 3.6.8: MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix From http://www.mozilla.org/security/known-vulnerabilities/firefox36.html […]
- FINRA Compliance July 11, 2010
  FINRA (Financial Industry Regulatory Authority) was created in July 2007 with the consolidation of the regulation enforcement and arbitration functions of the New York Stock Exchange with the National Association Of Securities Dealers (NASD). FINRA in conjunction with the Securities and Exchange Commission (SEC) are regulatory agencies for the financial serv […]
- Firefox 3.6.6 June 27, 2010
  Firefox 3.6.6 modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated. […]
- Firefox gets crash protection with release of version 3.6.4 June 23, 2010
  Firefox 3.6.4 has been released with crash protection for Adobe’s Flash Player, Apple ‘s QuickTime and Microsoft ‘s Silverlight plug-ins, and is available only in Firefox for Windows and Linux . Mozilla is still working on the “out of process plug-ins,” or OOPP feature, for the Mac version. The version also patches nine vulnerabilities, six […]
- Firefox 3.5.10 June 23, 2010
  Firefox 3.5.10 has been released – it patches nine vulnerabilities, six of them critical. […]
- Safari 5.0 June 10, 2010
  This update contains new features including: Safari Reader: Click on the new Reader icon to view articles on the web in a single, clutter-free page. Improved Performance: Safari 5 executes JavaScript up to 25% faster than Safari 4. Better page caching and DNS prefetching speed up browsing. Bing Search Option: New Bing search option for […]
- Firefox 3.6.2 March 20, 2010
  Mozilla yesterday released a beta version of the Firefox 3.6 browser to fix several stability and security issues. Firefox 3.6.2 has been released to Mozilla’s beta tester community, and includes several bug fixes such as crashes when using Adobe’s ClickMap add-on. Other problems reported by some users, such as there being no prompt to update […]
- Apple Safari 4.0.5 March 13, 2010
  Apple has released Safari 4.0.5 to address multiple vulnerabilities in ColorSync, ImageIO, PubSub, Safari, and WebKit. These vulnerabilities may allow a remote attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or bypass security restrictions. US-CERT encourages users and administrators to review Apple arti […]

January 2010
M	T	W	T	F	S	S
« Dec		Feb »
	1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Marketgrid on Twitter
- Marketgrid: Wireshark 1.4.0 - http://www.marketgrid.com/blog/2010/09/wireshark-1-4-0/ September 1, 2010
- Marketgrid: MySQL Connector/Net 6.2.4 - http://www.marketgrid.com/blog/2010/08/mysql-connectornet-6-2-4/ September 1, 2010
- Marketgrid: MySQL Connector/Net 6.0.7 - http://www.marketgrid.com/blog/2010/08/mysql-connectornet-6-0-7/ September 1, 2010
- Marketgrid: MySQL Connector/Net 6.1.5 released - http://www.marketgrid.com/blog/2010/08/mysql-connectornet-6-1-5/ August 30, 2010
- Marketgrid: OpenSSH 5.6 http://www.marketgrid.com/blog/2010/08/openssh-5-6/ August 23, 2010
- Marketgrid: RT @Website_Archive: Searching for content within your daily website archives http://www.website-archive.com/blog/?p=178 August 19, 2010
- Marketgrid: RT @cloud_links: New RSS Archiving service - http://www.rss-archiving.com/ August 19, 2010
- Marketgrid: RT @cloud_links: New RSS Archiving service for compliance - http://www.rsscompliance.com/ August 19, 2010
- Marketgrid: RT @cloud_links: New RSS Archiving service for compliance - http://www.rss-compliance.com/ August 19, 2010
- Marketgrid: RT @cloud_links: HIPAA compliance - http://www.hipaa-website-compliance.com/ August 19, 2010
Cloud Testing Blog
- Updated branding for CloudTesting and Website-Archive Portals August 24, 2010
  We’re pleased to announce the new updated and re-branded website testing and archiving portals at http://portal.cloudtesting.com/ and http://portal.website-archive.com/. The changes include incorporation of the Website Archive logo along with preparations for our upcoming new services which are currently in closed beta: RSS Archiving Document Archiving File […]
- Authenticity signatures for your archives August 18, 2010
  We’ve just released another new feature for our Website Archiving service, which allows you to easily view the authenticity signatures for your archives. We capture, calculate and store a number of signatures to ensure the integrity of the archived information. You can view an on-line demo version of the service at http://www.website-archive.com/. […]
- RSS Feed Archiving Service August 17, 2010
  We’re pleased to announce that we’ve released our new archiving service for RSS feeds to selected beta testing customers. The service will allow subscribers to the service to have RSS feeds archived for compliance and record keeping purposes. This can be either a feed of your own blog, or news events, or information from other […]
- Google releases Chrome 6 beta. August 12, 2010
  In this latest release is a 15 per cent speed improvement on the V8 and SunSpider javascript benchmarks, as well as a few of the new features including Autofill, a streamlined upper toolbar, made the Omnibox more approachable, and condensed all of the options into a single menu. […]
- Windows security updates applied to Cloud Testing Agents August 10, 2010
  All of the windows based agents have been updated with the following windows patches: Critical Security Bulletins Microsoft Security Bulletin MS10-049 - Affected Software: - Windows XP Service Pack 3 - Windows XP Professional x64 Edition Service Pack 2 - Windows Server 2003 Service Pack 2 - Windows Server 2003 x64 Edition Service Pack 2 […]
- Firefox 4.0 to be silently updated August 7, 2010
  Firefox is hoping to add an auto/silent update feature to Firefox 4.0, which will be enabled by default, but can be turned off. The major update dialog box will only be used for changes like version 4 to 4.5 or 5 according to Alex Faaborg on the “mozilla.dev.apps.firefox” forum. Users will still see the updating […]
- 97% of Chrome users running the latest version compared to 85% for Firefox and 53% for Safari August 7, 2010
  According to “Why Silent Updates Boost Security” (download PDF), 97% of Chrome users were running the latest version of the browser within 21 days of the last update’s release. By comparison, 85% of Firefox users were up-to-date in the same span, while only 53% Safari users could say the same. The Chrome browser is auto […]
- Firefox 3.6.8 released July 23, 2010
  Security Advisories Fixed in Firefox 3.6.8: MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix From http://www.mozilla.org/security/known-vulnerabilities/firefox36.html […]
- Release of 1.9.0 Cloud Testing agent software July 23, 2010
  We’re pleased to announce the release of version 1.9.0 of the agent software. This has been deployed onto our Cloud Testing servers, and is available to Private Agent subscribers in the download area. New features include: Extra commands – see recent posting. Improved timeout handling (there is a 15 minute maximum run time for a […]
- New commands added July 21, 2010
  Following a request from a customer (Andrew from AMEE), we’ve added a number of new commands to our Functional and Cross Browser testing service. Our standard service always captures a screenshot after the following Selenium commands: Open Click and Wait Open Window Refresh Refresh and Wait Submit Submit and Wait Go Back Go Back and […]

Marketgrid Consulting Blog

Recent Posts

Apache HTTP Server 2.3.8-alpha

Wireshark 1.4.0

MySQL Connector/Net 6.2.4

MySQL Connector/Net 6.0.7

Browse by Tags

Masking your Apache information with ServerTokens

ServerTokens

Notes

Blog Subscription

Recent Posts

Archives

Categories

Links

Website-Archiving Blog

The Browser Guru

Marketgrid on Twitter

Cloud Testing Blog