Disabling server signature (`ServerTokens`, `ServerSignature`)

Securing Your Web Server: A Guide to Disabling Server Signature in Apache

In today’s digital age, cybersecurity is a crucial concern for administrators and businesses alike. One often overlooked, yet significant, aspect of server security settings is the configuration of the server signature. Web servers like Apache and Nginx are configured by default to include server version information in their responses. This behavior can expose the server to potential security threats by providing attackers with information that could be used to exploit specific vulnerabilities associated with a version of the software running. In this blog post, we'll focus on Apache – one of the most popular web servers in use today – and explore how to disable server signatures using the ServerTokens and ServerSignature directives in Linux Bash.

What are `ServerTokens` and `ServerSignature`?

The ServerTokens directive controls whether Apache sends back the server version number along with the server response headers, while ServerSignature adds a footer line showing the server name and version in server-generated documents (such as error messages or directory listings).

How to Configure `ServerTokens`

The ServerTokens directive can be configured to control the amount of information Apache sends in the Server HTTP response header. Here are the different options you can set for ServerTokens:

Prod (or ProductOnly): This option minimizes the information Apache sends, restricting it to "Apache".
Major: Sends the major version number (e.g., "Apache/2").
Minor: Sends the major and minor version number (e.g., "Apache/2.4").
Min: Sends the version up to the minimal level of detail (e.g., "Apache/2.4.41").
OS: Sends the OS type alongside the detailed server version (e.g., "Apache/2.4.41 (Unix)").

For enhanced security, it's advisable to set this directive to Prod, ensuring that minimal information is being disclosed:

ServerTokens Prod

How to Configure `ServerSignature`

The ServerSignature directive allows you to configure whether server information appears on error pages and server-generated documents. Here are the possible configurations:

On: Displays the server version and virtual host name.
Off: The server does not display server signature in the web pages.
EMail: Displays an email address for server administrator issues.

To disable the server signature, set it to Off:

ServerSignature Off

Implementation in Apache Configuration

To apply these settings, locate the Apache configuration file (httpd.conf or apache2.conf), and add or edit the existing ServerTokens and ServerSignature directives:

# Disable ServerTokens
ServerTokens Prod

# Disable ServerSignature
ServerSignature Off

After making these changes, it's necessary to restart Apache to apply the new configuration. This can typically be done using one of the following Linux commands:

sudo systemctl restart apache2

sudo service apache2 restart

Security Implications and Best Practices

Disabling server signature helps mask your server's identity from malicious entities scanning for vulnerable targets. While hiding the Apache version doesn’t inherently secure the server, it reduces the surface area visible to attackers, creating less obvious targets.

Conclusion

Configuring ServerTokens and ServerSignature is a simple yet effective measure to enhance your server's security posture. Although it is not a standalone security solution, it forms an essential part of a holistic security strategy. By disclosing less information about the server configuration, businesses can protect themselves against potential threats that exploit specific software vulnerabilities. Always remember that server security is an ongoing process and requires continuous improvement and attention to detail.

Securing Your Web Server: A Guide to Disabling Server Signature in Apache

What are ServerTokens and ServerSignature?

How to Configure ServerTokens

How to Configure ServerSignature