Saturday, June 23, 2007

securing vps[3]: hide apache version

It's apache turn. The web server still showing its identity when we telnet it. Edit apache2.conf in /etc/apache2/apache2.conf

debian:~# cd /etc/apache2/
debian:/etc/apache2# ls
apache2.conf envvars mods-available ports.conf sites-enabled
conf.d httpd.conf mods-enabled sites-available
debian:/etc/apache2# vi apache2.conf

# only display 'apache'
ServerTokens ProductOnly

# do not display additional information
ServerSignature Off

Don't forget to restart the web service,
debian:/etc/apache2# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)....

The output become:
daniel-adinugrohos-computer:~ adinugro$ telnet 80
Connected to
Escape character is '^]'.

HTTP/1.1 400 Bad Request
Date: Sat, 23 Jun 2007 14:05:04 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.
daniel-adinugrohos-computer:~ adinugro$

See the differences!

No comments: