Changing Apache Server Name To Whatever You Want With mod_security On Debian 6

Autor: Alireza Razavi Farmad
RayanFarmad Linux Professional Services Co. <info[at]rayanfarmad[dot]ir>

With over 70% of all attacks now carried out over the web application level, organisations need every help they can get in making their systems secure. Web application firewalls are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications. One of the simple and basic tip to secure your server is that give at least information about your OS type, which services you run, what packages is installed, which version of packages your server uses and any other information which can simples the gathering information step for hackers.

In this tutorial I want to focus on how to change the Apache server name to whatever you want, so you can give your own name or sentence to Apache server headers that are sent to whois programs or websites, for example you can type "YTS","GWS" or "Microsoft-IIS/7.0" to misguide the hacker to guess which Linux OS or which version of Apache you are using.

I have installed "Domain Details" extension for my firefox in these examples and also on the internet there are very useful web sites such as domaintools.com or netcraft.com which help us gathering some information from a remote server.

 

How To Get Web Server’s Name

If you install "DomainDetails" extension in Firefox you can see it in the Add-on bar, and it will give the webserver name and IP address of each website you are visiting.

See the images below:

In the above example you can see that this extension can give the hacker simple but useful information about which webserver is installed and also in the last picture we see the version of Apache.

I see many servers that use old versions of Apache2 which had some security vulnerability that must be patched or upgraded on servers, but they don't mention this, so with this simple information hackers will save more time and achieve their goals faster.

 

How Can I Hide Or Change Apache Web Server Details?

With the default Apache2 configuration we just can hide the apache version. It can be done as below:

# su root
# vi /etc/apache2/conf.d/security

ServerTokens Prod

See the result:

But the question is how to change the Apache name like this:

Is it possible to change the Apache name to "Microsoft-IIS/7.0" or "foo.bar.com"? 

1-

2-

3-

The answer is: Yes!

This can be done with the powerfull Mod Security Web application firewall rules. The configuration is very simple.

So let me start:

Note: I assume that you have a running Apache web server.

# apt-get update
# apt-get install libapache-mod-security

Be sure that mod-security module is enabled.

# a2enmod mod-security

You should see a message like this:

Module mod-security already enabled
# vi /etc/apache2/conf.d/security

In about line 27 serach for ServerTokens and change it to:

ServerTokens Full

In about line 39 search for ServerSignature and change it to:

SecServerSignature RayanFarmad_HTTP_Server

Note: you can type whatever you want after SecServerSignature.

Reload the Apache configuration file:

# /etc/init.d/apache2 reload

You are done! I hope this tutorial will be useful for you.

 

1- Mod Security Official website: http://www.modsecurity.org/

2- Debian: http://www.debian.org

Share this page:

Suggested articles

9 Comment(s)

Add comment

Comments

By: Anonymous

eg: Apache that is not installed but extracted to a subdirectory. Normally you would have to edit httpd.conf and then restart the process.

By: Anonymous

Do you want to check this?

 curl -I my.server.com

By: Zerogiven

I would hide the php version too :)

 

vi /etc/php5/apache2/php.ini

expose_php On

to

expose_php Off 

By:

You can clean up the output of the server header like

Server: YourServerName mod_fcgid/2.3.6 mod_python/3.3.1 Python/2.7.3

setting

   ServerTokens OS

After restarting with apachectl -k graceful you'll find the output looks clear now

   Server: YourServerName

without any module info appended. ; )

best regards

By: jodumont

sorry to telling you this trick don't fool : Wappalyzer

By: df

Wappalyzer reads the "Server:" HTTP header to gather information on a webserver, so this will fool Wappalyzer.But Wappalyzer also reads the HTML on a page to determine what JavaScript libraries (jQuery, etc.) or CMS software is being used.

So while doing the above will give Wappalyzer less or incorrect information about the webserver (PHP or OpenSSL version, etc.), it won't do anything to hide the fact that you're using Font Awesome or Google Analytics, or whatever.

As a proof of concept, I've set up my webserver to randomly return a "Server:" string for each HTTP(s) request using a list of common web server banners (https://philip.html5.org/data/server-versions-2.txt), powered by nginx and LUA. Details/instructions/proof are at https://b.unni.es/random.html

When I visit my site using Wappalyzer, it reports back Apache/1.3.31 and PHP/5.2.6 and OpenSSL 0.9.7a, none of which are true but that data is in the fake/random webserver banner. When I refresh the page, Wappalyzer remembers the last data it saw so if any new information comes up it adds that to the list of known data about my webserver. That's why Wappalyzer thinks I'm running Apache/1.3.31 on Debian, FreeBSD, Fedora, and Win32 with PHP/5.2.6 and OpenSSL 0.9.7a when it's actually nginx 1.11.2 with no PHP support and OpenSSL 1.0.2h ;-D

It does, however, report correctly that I'm using Disqus for comments on my website.

By: Moses Brodin

Thank you for sharing your thoughts. I really appreciate your efforts and I will be waiting for your further post thank you once again.

By: Al

Nice mate..out of millions of pages yours was the one that worked!

By: shazebict

Thanks for the information, but how it can be achieved on cpanel based hosted servers.