Server: Hide Apache and PHP Identity

To prevent those, who have sticky-fingers, of sniffing around, this is how to make the server “unisex”…

Apache

In the Apache’s httpd.conf configuration file (or its included *.conf files), change the following directives:

ServerTokens Prod
ServerSignature Off

To remove the word “Apache” entirely, it is necessary to modify the source files, where the word is hard-coded, and recompile the server. Or, the same effect can be achieved using the SecServerSignature directive. More info here.

PHP

In the PHP’s configuration file, i.e., the php.ini, change the config as follows:

expose_php Off
; the following are default values for Production value
display_errors = Off
display_startup_errors = Off

Now, restart the Apache server.

Test

Use the following command to test the web server’s identity:

wget -S -O - -q http://SERVER.DOMAIN.TLD > /dev/null
Advertisements
This entry was posted in Linux, Security, Server and tagged , , , , , . Bookmark the permalink.