Comments on Changing Apache Server Name To Whatever You Want With mod_security On Debian 6

Changing Apache Server Name To Whatever You Want With mod_security On Debian 6 In this tutorial I want to focus on how to change the Apache server name to whatever you want, so you can give your own name or sentence to Apache server headers that are sent to whois programs or websites, for example you can type "YTS","GWS" or "Microsoft-IIS/7.0" to misguide the hacker to guess which Linux OS or which version of Apache you are using.

9 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous
Reply  

eg: Apache that is not installed but extracted to a subdirectory. Normally you would have to edit httpd.conf and then restart the process.

By: Anonymous
Reply  

Do you want to check this?

 curl -I my.server.com

By: Zerogiven
Reply  

I would hide the php version too :)

 

vi /etc/php5/apache2/php.ini

expose_php On

to

expose_php Off 

By:
Reply  

You can clean up the output of the server header like

Server: YourServerName mod_fcgid/2.3.6 mod_python/3.3.1 Python/2.7.3

setting

   ServerTokens OS

After restarting with apachectl -k graceful you'll find the output looks clear now

   Server: YourServerName

without any module info appended. ; )

best regards

By: jodumont
Reply  

sorry to telling you this trick don't fool : Wappalyzer

By: df
Reply  

Wappalyzer reads the "Server:" HTTP header to gather information on a webserver, so this will fool Wappalyzer.But Wappalyzer also reads the HTML on a page to determine what JavaScript libraries (jQuery, etc.) or CMS software is being used.

So while doing the above will give Wappalyzer less or incorrect information about the webserver (PHP or OpenSSL version, etc.), it won't do anything to hide the fact that you're using Font Awesome or Google Analytics, or whatever.

As a proof of concept, I've set up my webserver to randomly return a "Server:" string for each HTTP(s) request using a list of common web server banners (https://philip.html5.org/data/server-versions-2.txt), powered by nginx and LUA. Details/instructions/proof are at https://b.unni.es/random.html

When I visit my site using Wappalyzer, it reports back Apache/1.3.31 and PHP/5.2.6 and OpenSSL 0.9.7a, none of which are true but that data is in the fake/random webserver banner. When I refresh the page, Wappalyzer remembers the last data it saw so if any new information comes up it adds that to the list of known data about my webserver. That's why Wappalyzer thinks I'm running Apache/1.3.31 on Debian, FreeBSD, Fedora, and Win32 with PHP/5.2.6 and OpenSSL 0.9.7a when it's actually nginx 1.11.2 with no PHP support and OpenSSL 1.0.2h ;-D

It does, however, report correctly that I'm using Disqus for comments on my website.

By: Moses Brodin
Reply  

Thank you for sharing your thoughts. I really appreciate your efforts and I will be waiting for your further post thank you once again.

By: Al
Reply  

Nice mate..out of millions of pages yours was the one that worked!

By: shazebict
Reply  

Thanks for the information, but how it can be achieved on cpanel based hosted servers.