Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Hide "mod_fcgid/2.3.9" in Apache header response? |
|
| Author |
|
mdrmdr
Joined: 05 Apr 2020
Posts: 16
|
 Posted: Thu 09 Apr '20 10:16 Post subject: Hide "mod_fcgid/2.3.9" in Apache header response? |
 |
|
I'm using Apache on a Raspberry. The used version is the one I get with apt-get upgrade.
| Code: | Server version: Apache/2.4.25 (Raspbian)
Server built: 2019-10-13T15:43:54 |
Since this is a "sensitive" server exposed to the internet, I want to - among many other security measures - completely hide the servers signature. I use:
| Code: | <IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Go Away!"
</IfModule> |
But the response still is "Go Away! mod_fcgid/2.3.9".
How do I hide the string "mod_fcgid/2.3.9"?
[Update]
I was too fast with asking  Found an solution myself. Just set "ServerTokens OS".
[Update 2]
It seems that Major|Minor|Min[imal]|Prod[uctOnly]|OS work (Full does not) as long as the SecServerSignature string is not longer than the one set by ServerTokens . So "GoAway" works with "Prod" (writes "Apache") since both strings are 6 chars long.
If the post is of no use for others, just delete it... |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Thu 09 Apr '20 16:06 Post subject: |
|
|
Another option is to use mod_bikeshed[1]
You can change the signature completely. However security through obscurity is not the best option 
[1] https://github.com/JBlond/mod_bikeshed |
|
| Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012
Posts: 217
Location: Denver, CO USA
|
| Posted: Thu 09 Apr '20 20:06 Post subject: |
|
|
In addition to what James Blond mentioned about using mod_bikeshed (which I use as well to hide all APACHE info to the world), you should also hide all PHP info to the world. To hide PHP from the world, make the following change in your PHP.ini file:
Change the following option
expose_php On
to
expose_php Off |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 10 Apr '20 1:20 Post subject: |
|
|
| @DSE .. that only keeps php from announcing itself. |
|
| Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012
Posts: 217
Location: Denver, CO USA
|
| Posted: Fri 10 Apr '20 1:44 Post subject: |
|
|
GLS ... That is true. I just generally do not like to give the evil doers in this world too much to work with, so I do my best to hide as much from them as I possibly can.
Just my 2cents worth  |
|
| Back to top |
|
|
|
|
|
|
