In one of our several articles relating to Apache server security and hardening tips, we explained how to hide Apache version number and other sensitive information.
We discussed how to keep away valuable information such as the web server version number, server operating system details, installed Apache modules and so much more, from being sent along in server-generated documents back to the client (possibly attackers).
In this article, we will show you yet another useful Apache security tip – changing HTTP web server name to anything else in server header.
What do we actually mean here? Take a look at the screen shot below, it shows a listing of directories in our web server document root, beneath that, you can see the server signature (web server name, version, operating system, ip address and port).
Most times, hackers use known vulnerabilities in web server software to attack your websites or web apps, therefore changing the name of your web server makes it difficult for them to know the type of server running on your system. The point is to change the name “Apache” to something else.
This can be achieved by installing Apache mod_security module.
-------- On Debian/Ubuntu -------- $ sudo apt install libapache2-mod-security2 $ sudo a2enmod security2 -------- On CentOS/RHEL and Fedora -------- # yum install mod_security # dnf install mod_security
Then open the Apache configuration file.
$ sudo vi /etc/apache2/apache2.conf #Debian/Ubuntu # vi /etc/httpd/conf/httpd.conf #RHEL/CentOS/Fedora
Now change or add these lines below (make sure to change TecMint_Web to any other thing you want to appear to clients).
ServerTokens Full SecServerSignature “Tecmint_Web”
Finally restart the web server.
$ sudo systemctl restart apache2 #Debian/Ubuntu # systemctl restart httpd #RHEL/CentOS/Fedora
Now verify the page again using curl command or accessing from the browser to see the web server name has changed from Apache to Tecmint_Web.
$ curl -I -L http://domain-or-ipaddress
Thats It! Do check out following articles related to Apache web server.
- Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security
- How to Find MySQL, PHP and Apache Configuration Files
- How to Change Default Apache ‘DocumentRoot’ Directory in Linux
- How to Check Which Apache Modules are Enabled/Loaded in Linux
- 13 Apache Web Server Security and Hardening Tips
In this article, we showed how to change HTTP web server name to anything else in server header in Linux. Use the feedback form below to add you thoughts about this topic.
Can we rename the Apache Installation directory?
Example:
After renaming i am getting below error:
I can’t restart Apache, says:
But I’ve changed the apache.conf how it is before do it and now works… help please. And this is a good article (but it don’t works for me ;-D )
Thanks a ton, very good article..
@hoseinmont
Welcome, thanks for the feedback.
Hi,
Is there any way that I can change the server name through
.htaccessfile? Please let me know. Thanks.@Rahul
To change Apache2 server name to anything, refer to this guide: https://www.tecmint.com/change-apache-server-name-to-anything-in-server-headers/
If you only want to use the htaccess file, consult its documentation: https://httpd.apache.org/docs/2.4/howto/htaccess.html