Use mod_headers to hide server info.

[SuperBaby]

Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8 Server at www.mydomain.com Port 80

When I point to a non-existing page on my website, I got a NOT FOUND page with the above printed.

For security reason, how do I turn it off? I read some articles that it can be done by mod_headers. Unfortunately no article has given a clear guideline on how to edit httpd.conf for this purpose.

Any answer?

 

[Stefaans]

You can turn off sensitive information like the Apache version using the ServerTokens and ServerSignature settings in your httpd.conf. I don't think you need to install a whole new module (mod_headers) if this is all you wish to achieve this.

 

[SuperBaby]

Can you tell me what exactly I should add to httpd.conf? Thanks.

 

[Stefaans]

It depends on how much of the information you wish to hide. See the Apache documentation for options: http://httpd.apache.org/docs/1.3/mod/core.html#serversignature

We like using the following (near the top of httpd.conf):

ServerTokens Minimal
ServerSignature Off

Remember to restart Apache for the changes to take effect

 

[SuperBaby]

I added those two lines near to the very top of httpd.conf and restarted Apache. Not working at all. Still get the same printing on Not Found page.

 

[Stefaans]

I am sorry, may advice was wrong. What I explained was how to change the (invisible) header included with every HTTP response. You are looking for something else...

You can change the content of the error pages for an account by logging into its cPanel and using the Error pages function. Alternatively you can edit the relevant files in public_html (in this case 404.shtml) directly.

 

[SuperBaby]

Which means I have to edit the Error Pages one by one for every account? Is there a method to globally edit them?

 

[nickp666]

if you have mod_security installed, add this to your modsec.user.conf and set servertokens to full, that way it will display "YourStringHere" instead of the usual apache stuff.

(Obviously change YourStringHere to whatever you want it to show as)

SecServerSignature "YourStringHere"

 

[SuperBaby]

# locate modsec.user.conf
/home/cpeasyapache/src/modsec.user.conf
/home/cpeasyapache/src/modsec.user.conf.default
/home/cpeasyapache/src/modsec.user.conf.none

I have mod_security2 installed. I opened /home/cpeasyapache/src/modsec.user.conf and it is totally blank. So I added:

SecServerSignature "ABC"

and saved the file. Restarted Apache.

Still not working. Full server info still printed on "Page Not Found" page.

servertokens is already set to Full under httpd.conf.

 

[SuperBaby]

I added SecServerSignature "YourStringHere" to httpd.conf and restarted Apache. Now the string is reduced to:

YourStringHere mod_perl/2.0.3 Perl/v5.8.8 Server at xxx.com Port 80

Previously it was:

Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8 Server at www.mydomain.com Port 80

Thank you very much for the tips.

 

[nickp666]

it shouldnt be showing the perl versions either, should litterally be the string you set.

having looked at my httpd.conf, I dont actually have the servertokens option set at all and only have ServerSignature On

I distinctly remember having to have servertokens set to full for this to work with apache 1.3, obviously the same doesnt apply with 2.2, my servers litterally return only the custom string I added, none of the module names or versions, so you might want to try removing the servertokens setting

 

[SuperBaby]

I removed the servertokens and restarted Apache. No difference. The Perl version still there.