It’s a given that information leakage in the form of server / mod versions can seriously aid an attacker in compromising your server and / or web application. By cutting down the amount of information that your server freely surrenders you can make the attacker’s job that much harder – these very quick tips will do just that!
In your /etc/apache2/conf.d/security file, look for “ServerTokens” and set the parameter to “Prod” – this will identify the server software only, no versions, or extensions.
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
Server sends (e.g.): Server: Apache
Server sends (e.g.): Server: Apache/2
Server sends (e.g.): Server: Apache/2.0
Server sends (e.g.): Server: Apache/2.0.41
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
In the same vein, we want to remove any information shown by the php install which is done by setting the “expose_php” directive to “Off”.
Locate this in the /etc/php5/apache2/php.ini file and set accordingly:
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = Off