logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Hide "mod_fcgid/2.3.9" in Apache header response?
Author
mdrmdr



Joined: 05 Apr 2020
Posts: 16

PostPosted: Thu 09 Apr '20 10:16    Post subject: Hide "mod_fcgid/2.3.9" in Apache header response? Reply with quote

I'm using Apache on a Raspberry. The used version is the one I get with apt-get upgrade.

Code:
Server version: Apache/2.4.25 (Raspbian)
Server built:   2019-10-13T15:43:54


Since this is a "sensitive" server exposed to the internet, I want to - among many other security measures - completely hide the servers signature. I use:

Code:
<IfModule security2_module>
    SecRuleEngine on
    ServerTokens Full
    SecServerSignature "Go Away!"
</IfModule>


But the response still is "Go Away! mod_fcgid/2.3.9".
How do I hide the string "mod_fcgid/2.3.9"?

[Update]
I was too fast with asking Smile Found an solution myself. Just set "ServerTokens OS".

[Update 2]
It seems that Major|Minor|Min[imal]|Prod[uctOnly]|OS work (Full does not) as long as the SecServerSignature string is not longer than the one set by ServerTokens . So "GoAway" works with "Prod" (writes "Apache") since both strings are 6 chars long.

If the post is of no use for others, just delete it...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6785
Location: Germany, Next to Hamburg

PostPosted: Thu 09 Apr '20 16:06    Post subject: Reply with quote

Another option is to use mod_bikeshed[1]

You can change the signature completely. However security through obscurity is not the best option Wink



[1] https://github.com/JBlond/mod_bikeshed
Back to top
DnvrSysEngr



Joined: 15 Apr 2012
Posts: 205
Location: Denver, CO USA

PostPosted: Thu 09 Apr '20 20:06    Post subject: Reply with quote

In addition to what James Blond mentioned about using mod_bikeshed (which I use as well to hide all APACHE info to the world), you should also hide all PHP info to the world. To hide PHP from the world, make the following change in your PHP.ini file:

Change the following option

expose_php On

to

expose_php Off
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2243
Location: Sun Diego, USA

PostPosted: Fri 10 Apr '20 1:20    Post subject: Reply with quote

@DSE .. that only keeps php from announcing itself.
Back to top
DnvrSysEngr



Joined: 15 Apr 2012
Posts: 205
Location: Denver, CO USA

PostPosted: Fri 10 Apr '20 1:44    Post subject: Reply with quote

GLS ... That is true. I just generally do not like to give the evil doers in this world too much to work with, so I do my best to hide as much from them as I possibly can.

Just my 2cents worth Cool
Back to top


Reply to topic   Topic: Hide "mod_fcgid/2.3.9" in Apache header response? View previous topic :: View next topic
Post new topic   Forum Index -> Apache