Home / server / Questions / 105714
Accepted
Rook
Asked: 2010-01-24 14:25:01 +0800 CST

How can you obscure the fact that you are running Apache?

  • 772

How can I make it appear as though I'm not running Apache? I figure the best way is to appear as though it is another type of httpd, like lighthttpd or iis. I know that by using mod_security you can change your server signature into anything:

SecServerSignature "Microsoft IIS"

Does anyone know of other tricks in obscuring the HTTPD being used?

apache-2.2 security httpd

4 Answers

  1. Best Answer

    Why would you attempt this?

    There are so many obvious and non-obvious ways that apache httpd reveals itself. Spend your time on real security instead. Version identifiers, stock pages, HTTP headers and loaded modules are just some of the ways Apache httpd reveals itself.

    Run apache with a few modules loaded as possible. Ship logs off to another host and do real-time log analysis.

    Design your system so that a compromise of apache doesn't lead to direct access to whatever you're trying to protect.

    • 7

  2. There are 2 ways. The simplest is to add this to your apache config file :

    ServerSignature Off
ServerTokens Prod

    The other one is to change this file /src/include/httpd.h in the apache source. Change :

    #define SERVER_BASEVENDOR “Apache Group”
#define SERVER_BASEPRODUCT “Apache”
#define SERVER_BASEREVISION “”

    to 

    define SERVER_BASEVENDOR: Microsoft
define SERVER_BASEPRODUCT: Microsoft-IIS
define SERVER_BASEREVISION: 5.0

    Then recomplie apache.

    Others solutions may exits, try "Apache banner faking" on google.

    • 5

  3. One can tell that Apache is being run from the style and content of the stock error pages (404, 500, etc.). Specify your own.

    • 2

  4. As Holst stated, you should really question why you you are wanting to obscure your host. Obscurity is one mechanism for security, but should be assumed to be the weakest, and as such needs to be only one layer in a much more robust security architecture.

    I would highly recommend reviewing the CIS Benchmark for Apache and implementing whatever can be used in your environment. Along with NIST, the Center for Internet Security benchmarks are often used as the basis for standard configurations. Which is great, since the Professional Feed from Nessus includes audit files for comparing against the CIS benchmarks. Moreover, this puts you on the road towards a standard configuration that can be easily audited and greatly lowers the risks associated with attempting to adequately manage a multitude of dissimilar systems.

    Going back to the original question, the CIS Apache Benchmark v2.2 recommend the following settings for Information Leakage Protection

    ServerTokens Prod
ServerSignature Off
    • 2