A very basic thing you should do if you are running a webserver is hiding the operating system and software version. By default Apache shows the operating system, Apache version and the used modules. To change the full exposure you have to change the value of ServerTokens directive in /etc/httpd/conf/httpd.conf
Open /etc/httpd/conf/httpd.conf and find and change the line:
ServerTokens Full
into
ServerTokens Prod
ServerTokens Full will show:
Apache/2.2.3 (CentOS) mod_python/3.3.1 Python/2.5.1 PHP/5.2.4 with Suhosin-Patch mod_jk/1.2.25 mod_ssl/2.0.61 OpenSSL/0.9.7e-p1 mod_perl/2.0.3 Perl/v5.8.8
while ServerTokens Prod will show:
Apache
Other options areServerTokens OS returns: Apache/2.2.3 (CentOS)
ServerTokens Min returns: Apache/2.2.3
ServerTokens Minor returns: Apache/2.2
ServerTokens Major returns: Apache/2
An other way to prevent Apache to show that it is running php is done by telling php not to expose itself. This is done by changing the value of expose_php in /etc/php.ini to Off
Open /etc/php.ini and find and replace the line:
expose_php = onwith:
expose_php = off
Prevent Apache from exposing the ServerTokens tag on every server-side generated document, i.e. error-documents, you should change the directive ServerSignature to off (default) or to email.
