Disable apache server signature on your web pages

Source: http://syahik.wordpress.com/tag/server-signature/

In the default configuration of Apache, any error pages will contain the full signature of the server (Apache version) which could be exploited by hackers or Attacker. Each version has some deficiencies that could be exploited, and a hacker who knows your version number may benefit from it by focused attacks.

To disable server signature, you will need to edit your /etc/apache2/apache2.conf file.

root@server# nano /etc/apache2/apache2.conf

Press Ctrl+w to search for “ServerSignature” and press return. If you find it, edit it to:

ServerSignature Off
ServerTokens Prod

If you don’t find it, just scroll to the end of the file and add these two lines.

Then, we need to reload apache configuration to put this new change in effect:

sudo /etc/init.d/apache2 reload

Check the new configuration by entering an invalid address on your server URL (ex:http://www.domain.com/unavailablePage.php). You should not see the server signature now, just the server name.



# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to «EMail» to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off

# Don’t give away too much information about all the subcomponents
# we are running. Comment out this line if you don’t mind remote sites
# finding out what major optional modules you are running
# ServerTokens OS