I’ve recently spent a lot of time reviewing the OWASP documentation, and (like many corporations) realized that I’d neglected to keep up with this configuration item.
By sharing the exact version of each piece of server software you are using, “hackers” are able to quickly identify unpatched systems and their known vulnerabilities.
To make their work harder, there are a few simple steps that the server admin can take to remove this information from the HTTP Headers and error pages.
Apache HTTPd:
sudo vi /etc/apache2/conf-enabled/security.conf
- Add:
ServerTokens ProductOnly
ServerSignature Off
- If using virtual hosts, add the following to each one:
ServerSignature Off
sudo service apache2 restart
Apache Tomcat:
vi /opt/tomcat7/conf/server.xml
- Find the <Connector > entry and add:
server="Apache"
cd /opt/tomcat7/lib
mkdir -p org/apache/catalina/util
vi /opt/tomcat7/lib/org/apache/catalina/util/ServerInfo.properties
server.info=Apache Tomcat
sudo service tomcat7 restart
PHP “X-Powered-By: PHP/5.x.x-1ubuntuX.X”
sudo vi /etc/php5/apache2/php.ini
expose_php = Off
sudo service apache2 restart
REFERENCES: