Yuri Robbers [yuri@rulbii.leidenuniv.nl] wrote:
I always try to hide as many details about the services I'm running as possible. I don't want, for example, my ftpd to tell everyone that it's ProFTP 1.2.0 on an i386 running SuSE 7.0 or whatever. Legitimate users don't need this info, and I don't want hackers to be able to get it by just establishing a regular connection.
Of course this is easy to do for most service, but I haven't managed this with Apache. Just surfing to a non-existing page, for example, gives out an error message like this:
Apache/1.3.12 Server at rulbii.leidenuniv.nl Port 80
How do I stop Apache from telling that it is Apache 1.3.12? I have worked my way through httpd.conf, I've read the manual, but still I have no clue... Can anyone help me?
The ServerTokens and ServerSignature directives may be your friend, see http://www.apache.org/docs/mod/core.html#servertokens http://www.apache.org/docs/mod/core.html#serversignature If this does not satisfy, use the source :) -- Kilian