Many web servers advertise their not only the software running their web sites, but also the version number of that software as well. This makes it much easier for attackers to find vulnerabilities to attack these web servers. A typical scan with a popular scanner, nmap, is shown below.
As we can see, the web server above lists the HTTP server ‘Apache’ and the version along with the operating system ‘2.4.18 ((Ubuntu))’. This is undesirable as it can make it easier for an attacker to hack the web site.
This is why we will want to change or hide the web server’s advertised banner.
Hiding the Apache web site banner using Mod Security.
1.) First we will need to edit our
/etc/apache2/conf-available/security.conf file. Scroll down and Find the ‘ServerTokens OS’ entry. You can delete it or comment it out with the # character. Replace it with ‘ServerTokens Proc’, as shown below.
You will need to restart Apache with the command below in order for the changes in the security.conf file to take effect.
Now when we run the port scan, we can see that the version and OS details are no longer displayed.
Taking it a Step Further: Changing the Apache HTTP Advertisement banner
1.) You may want to take this even further and completely mis-represent what your server is running. To do this, you must have ModSecurity installed and configured. See the link above if you need to setup ModSecurity.
2.) You will need to modify your
/etc/apache2/conf-available/security.conf file. Scroll down until you see the ‘ServerSignature On’ entry, usually somewhere around lines 35 – 40. Below it, enter ‘SecServerSignature <YourBannerHere>’ and save your security.conf file. Below I entered the banner for a very outdated version of Microsoft’s IIS. You would probably only want to do this if you were running some kind of honeypot.
3.) Restart Apache service.
4.) Now when we run our port scan against the web server, the HTTP Banner advertises that we are running a Microsoft-IIS/5.0 Server.