Sunday, 28 May 2006


I always set my ServerTokens to Prod[uction] for a touch of “security through obscurity.”

This setting will report just that I'm running Apache, nothing else.

[root@mercury conf]# curl -I localhost
HTTP/1.1 200 OK
Date: Sun, 28 May 2006 20:55:02 GMT
Server: Apache
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "23029d-2c-4c23b600"
Accept-Ranges: bytes
Content-Length: 44
Content-Type: text/html

[root@mercury conf]#

Apache 2.2.x has a new conf file layout, sub-dividing functionality into multiple files and Include'ing them into the main configuration file.

To accomplish the same thing in a pre-2.2x build of Apache, you would edit one file, ${APACHE_ROOT}/conf/httpd.conf}. Out of the box 2.2.x looks at multiple files, as noted, and you need to edit two (2) files: ${APACHE_ROOT}/conf/httpd.conf and ${APACHE_ROOT}/conf/extra/httpd-default.conf.

Edit ${APACHE_ROOT}/conf/extra/httpd-default.conf and uncomment ServerTokens Full (set to Full by default), and replace it with:

ServerTokens Prod

Next, edit ${APACHE_ROOT}/conf/httpd.conf and uncomment the Include directive for ${APACHE_ROOT}/conf/extra/httpd-default.conf, otherwise you will get a “default-default” set of directives and restarting Apache will leave you quizzically wondering why editing ${APACHE_ROOT}/conf/extra/httpd-default.conf didn’t do the trick.

Restart the service—not the server!—and hide behind your new cloak.

The real trick is to hack the source and extend ServerTokens to identify your Apache as IIS, or Tomcat, or…you get the idea. These patches exist on the Internets, and I leave it as an exercise for the reader to implement them as desired.

Posted by caffeinated at 1:28 PM in kaffehaus


[Trackback URL for this entry]

Your comment:

(not displayed)

Live Comment Preview:

« May »