The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Use mod_headers to hide server info.

Discussion in 'General Discussion' started by SuperBaby, Jan 11, 2008.

  1. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    When I point to a non-existing page on my website, I got a NOT FOUND page with the above printed.

    For security reason, how do I turn it off? I read some articles that it can be done by mod_headers. Unfortunately no article has given a clear guideline on how to edit httpd.conf for this purpose.

    Any answer?
     
  2. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    You can turn off sensitive information like the Apache version using the ServerTokens and ServerSignature settings in your httpd.conf. I don't think you need to install a whole new module (mod_headers) if this is all you wish to achieve this.
     
  3. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Can you tell me what exactly I should add to httpd.conf? Thanks.
     
  4. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    It depends on how much of the information you wish to hide. See the Apache documentation for options: http://httpd.apache.org/docs/1.3/mod/core.html#serversignature

    We like using the following (near the top of httpd.conf):
    Code:
    ServerTokens Minimal
    ServerSignature Off
    Remember to restart Apache for the changes to take effect ;)
     
  5. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I added those two lines near to the very top of httpd.conf and restarted Apache. Not working at all. Still get the same printing on Not Found page.
     
  6. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    I am sorry, may advice was wrong. What I explained was how to change the (invisible) header included with every HTTP response. You are looking for something else...

    You can change the content of the error pages for an account by logging into its cPanel and using the Error pages function. Alternatively you can edit the relevant files in public_html (in this case 404.shtml) directly.
     
  7. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Which means I have to edit the Error Pages one by one for every account? Is there a method to globally edit them?
     
  8. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    if you have mod_security installed, add this to your modsec.user.conf and set servertokens to full, that way it will display "YourStringHere" instead of the usual apache stuff.

    (Obviously change YourStringHere to whatever you want it to show as)
    Code:
    SecServerSignature "YourStringHere"
     
  9. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I have mod_security2 installed. I opened /home/cpeasyapache/src/modsec.user.conf and it is totally blank. So I added:

    SecServerSignature "ABC"

    and saved the file. Restarted Apache.

    Still not working. Full server info still printed on "Page Not Found" page.

    servertokens is already set to Full under httpd.conf.
     
  10. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I added SecServerSignature "YourStringHere" to httpd.conf and restarted Apache. Now the string is reduced to:

    Previously it was:

    Thank you very much for the tips.
     
  11. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    it shouldnt be showing the perl versions either, should litterally be the string you set.

    having looked at my httpd.conf, I dont actually have the servertokens option set at all and only have ServerSignature On

    I distinctly remember having to have servertokens set to full for this to work with apache 1.3, obviously the same doesnt apply with 2.2, my servers litterally return only the custom string I added, none of the module names or versions, so you might want to try removing the servertokens setting
     
  12. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I removed the servertokens and restarted Apache. No difference. The Perl version still there.
     
Loading...
Similar Threads - mod_headers hide server
  1. samuelmf
    Replies:
    2
    Views:
    59
  2. yogev
    Replies:
    9
    Views:
    422

Share This Page