Skip to main content

Server Security - Apache Web Server Hardening

Whenever any request is made from client to server then it sends some headers from server to client or vice versa. So when we receive server response we get some headers that give some extra information about the server.

This information or headers sometimes becomes vulnerable for hackers to break your server and get into it. In order to stop unauthorized access we secure our server.

So in this article “Server Security – Apache Web Server Hardening” I will secure the apache server by removing the server details from response headers. This comes under the Banner Grabbing Attack.

In the Banner Grabbing method, Hacker tries to identify the target system OS or server name and version to penetrate into the system.

To understand this look at the image below.

Server Vulnerability
Server Details

If you will look at the image you will find out, In server response headers we are actually getting the lots of details.

We are getting the following items:

1. Server Name and Version (Apache & 2.4.43)
2. OS Name (Win64)
3. Web Language Name and Version (PHP & 7.3.17 )

The above information is big enough to carry out attacks on your server.

Prevention:

So in order to prevent this attack the best way is to remove this sensitive information from response headers. To do this you have to make changes in httpd.conf file. This file basically the configuration file of your server.

You may find httpd.conf file on following location

Ubuntu – /etc/apache2
Cent OS – /etc/httpd/conf
Windows – wamp/apache2/conf/

Steps:

  1. Open httpd.conf file
  2. Then search for “ServerTokens” and set its value to Prod. If it does not exist then add it at the end of the file.
  3. Save the file.
  4. Restart the server.
Final Result

Note: In an earlier Apache version before 2.0.44, you have to set the “ServerSignature” value to On in order to achieve the same.

Version < 2.0.44

ServerSignature Off
ServerTokens Prod

Version > 2.0.44

ServerTokens Prod

Server Tokens Directive

Server Token has 5 Possible values

ServerTokens Prod[uctOnly]

Server sends (e.g.): Server: Apache

ServerTokens Major

Server sends (e.g.): Server: Apache/2

ServerTokens Minor

Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]

Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS

Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)

Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

Server Signature Directive

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

Now after version, 2.0.44 ServerToken directive can control both

Suggested Read: Play Playstation 3 Games on PC

Labels:

Comments

Post a Comment

Popular posts from this blog

Automation - Update Naukri Profile Using Selenium

Recently one of my friend came to me with a problem. He is looking out for new job but he feels quite boring to update  his profile on daily basis. As some people says updating profile in the morning gives you more calls as it keeps the newly updated profile on top (Although i don’t know whether naukri works this way or not 😀 ). As i was more interested to solve his problem.  After listening his problem i came to solution that instead of updating it manually lets make this job automatic. And it is quite interesting how we can automate our daily boring task with automation. Another day i came with the solution . And the solution was to make it automatic using selenium (Those who are not aware about selenium do check this link) In short, Selenium is a Testing automation Framework. And it is for automating web applications for testing purposes, but is certainly not limited to just that. Boring web-based administration tasks can (and should) also be automated as well....
Post a Comment
Read more

Shut Down the Computer using notepad

Open notepad >> Write @echo off msg * I am tired. shutdown -c “So, Bye Bye dear” -s >> Save the File as AnyName.bat When you will open this file, your Computer will Shut down on its own after showing the message in it. NOTE: FOR EDUCATIONAL PURPOSE ONLY.I AM NOT RESPONSIBLE FOR IF ANYTHING GOES WRONG…. 
Post a Comment
Read more

3 facts about Microsoft Windows

1. Nobody can create a folder named “Con”. Try to create anywhere on your hard disk a folder called “Con” (without the quotes). Go to a location on your hard disk, right click, choose “New” and then select “Folder” from the menu that appears. Name the folder “Con” (without quotes) and hit Enter. You’ll see that the folder won’t be named “Con“. It will be “New folder” 2. A text file made with Notepad, with the following content : “Bush hid the facts” (without quotes) won’t display the actual text. Go to Start -> Programs -> Accessories -> Notepad . Write in Notepad the following text : “Bush hid the facts” (without quotes) then Save the file and exit Notepad. Now go to the text file you created and open it. You’ll see that the text you just wrote and save won’t show. 3. Write in Word this : “=rand(200,99)” (without the quotes) and witness the magic. Open Microsoft Word and on the first line write : “=rand(200,99)” (without the quotes) and hit Enter
Post a Comment
Read more