Como remover o cabeçalho Server: da resposta HTTP com o Apache?

18

Eu gostaria de remover a linha:

Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g

das respostas HTTP do meu servidor, mas não consegui encontrar nada além de modificar o include/ap_release.h e compilar o Apache sozinho. Eu queria saber se existe uma maneira que eu não conheça?

    
por Neo 21.05.2011 / 23:07

2 respostas

16

Você pode remover ou mascarar a identificação do servidor do Cabeçalho Http usando o firewall de aplicativo da web de código aberto ModSecurity .

Server identity masking

One technique that often helps slow down and confuse attackers is the web server identity change. Web servers typically send their identity with every HTTP response in the Server header. Apache is particularly helpful here, not only sending its name and full version by default, but it also allows server modules to append their versions too.

To change the identity of the Apache web server you would have to go into the source code, find where the name "Apache" is hard-coded, change it, and recompile the server. The same effect can be achieved using the

SecServerSignature directive:

SecServerSignature "Microsoft-IIS/5.0"

It should be noted that although this works quite well, skilled attackers (and tools) may use other techniques to "fingerprint" the web server. For example, default files, error message, ordering of the outgoing headers, the way the server responds to certain requests and similar - can all give away the true identity. I will look into further enhancing the support for identity masking in the future releases of mod_security.

If you change Apache signature but you are annoyed by the strange message in the error log (some modules are still visible - this only affects the error log, from the outside it still works as expected):

[Fri Jun 11 04:02:28 2004] [notice] Microsoft-IIS/5.0 mod_ssl/2.8.12 OpenSSL/0.9.6b \ configured -- resuming normal operations

Then you should re-arrange the modules loading order to allow mod_security to run last, exactly as explained for chrooting.

Note

In order for this directive to work you must leave/set ServerTokens to Full.

When the SecServerSignature directive is used to change the public server signature, ModSecurity will start writing the real signature to the error log, to allow you to identify the web server and the modules used.

Fonte: Manual de referência do ModSecurity

    
por 21.05.2011 / 23:45
24

Se você definir ServerTokens como " Prod ", poderá reduzir o cabeçalho para " Server: Apache ". Veja a documentação para lista completa de opções:

Documentação para o Apache 2.2

Documentação para o Apache 2.4

Nota: As configurações são as mesmas em ambas as versões, no entanto, a documentação do 2.4 adiciona esta nota:

Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of "security through obscurity" is a myth and leads to a false sense of safety.

Se você quiser remover completamente a palavra "Apache", terá que modificar a fonte.

    
por 21.05.2011 / 23:26