SuperBaby

Well-Known Member
Nov 27, 2003
345
0
166
Thailand
cPanel Access Level
Website Owner
Twitter
Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8 Server at www.mydomain.com Port 80
When I point to a non-existing page on my website, I got a NOT FOUND page with the above printed.

For security reason, how do I turn it off? I read some articles that it can be done by mod_headers. Unfortunately no article has given a clear guideline on how to edit httpd.conf for this purpose.

Any answer?
 

Stefaans

Well-Known Member
Mar 5, 2002
461
4
318
Vancouver, Canada
You can turn off sensitive information like the Apache version using the ServerTokens and ServerSignature settings in your httpd.conf. I don't think you need to install a whole new module (mod_headers) if this is all you wish to achieve this.
 

Stefaans

Well-Known Member
Mar 5, 2002
461
4
318
Vancouver, Canada
I am sorry, may advice was wrong. What I explained was how to change the (invisible) header included with every HTTP response. You are looking for something else...

You can change the content of the error pages for an account by logging into its cPanel and using the Error pages function. Alternatively you can edit the relevant files in public_html (in this case 404.shtml) directly.
 

nickp666

Well-Known Member
Jan 28, 2005
769
2
168
/dev/null
if you have mod_security installed, add this to your modsec.user.conf and set servertokens to full, that way it will display "YourStringHere" instead of the usual apache stuff.

(Obviously change YourStringHere to whatever you want it to show as)
Code:
SecServerSignature "YourStringHere"
 

SuperBaby

Well-Known Member
Nov 27, 2003
345
0
166
Thailand
cPanel Access Level
Website Owner
Twitter
# locate modsec.user.conf
/home/cpeasyapache/src/modsec.user.conf
/home/cpeasyapache/src/modsec.user.conf.default
/home/cpeasyapache/src/modsec.user.conf.none
I have mod_security2 installed. I opened /home/cpeasyapache/src/modsec.user.conf and it is totally blank. So I added:

SecServerSignature "ABC"

and saved the file. Restarted Apache.

Still not working. Full server info still printed on "Page Not Found" page.

servertokens is already set to Full under httpd.conf.
 

SuperBaby

Well-Known Member
Nov 27, 2003
345
0
166
Thailand
cPanel Access Level
Website Owner
Twitter
I added SecServerSignature "YourStringHere" to httpd.conf and restarted Apache. Now the string is reduced to:

YourStringHere mod_perl/2.0.3 Perl/v5.8.8 Server at xxx.com Port 80
Previously it was:

Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8 Server at www.mydomain.com Port 80
Thank you very much for the tips.
 

nickp666

Well-Known Member
Jan 28, 2005
769
2
168
/dev/null
it shouldnt be showing the perl versions either, should litterally be the string you set.

having looked at my httpd.conf, I dont actually have the servertokens option set at all and only have ServerSignature On

I distinctly remember having to have servertokens set to full for this to work with apache 1.3, obviously the same doesnt apply with 2.2, my servers litterally return only the custom string I added, none of the module names or versions, so you might want to try removing the servertokens setting