Apache Security by Preventing Information Disclosure

The below recommendations will prevent sensitive information disclosure like server type, version number, etc in apache. Applying these recommendations will improve the apache security.

ServerTokens Directive

The Apache ServerTokens Directive controls the response header field which server sends to include the server details, OS and other complied modules. By setting the value to Prod or ProductOnly, will provide minimum information to the client and improve the apache security. The default value is Full which disclose sensitive information.

Solution:
In the Httpd.conf file, Add or modify the ServerTokens directive as shown below:

ServerTokens Prod

ServerSignature Directive

The apache ServerSignature directive is used to configure a trailing footer line under the server-generated documents (such as error pages, directory listing etc). This directive should be set to OFF to avoid the server version number disclosure. The default value is Off for ServerSignature

Solution:
In the Httpd.conf file, Add or modify the ServerSignature directive as shown below:

ServerSignature Off

Default Manual Page

Apache installation has default content that is not required or appropriate for production use. The primary purpose for these sample content is to provide a default web site or provide user manuals. All content that is not required should be removed.

Solution:

  • Remove the default index.html or welcome page
  • Remove the Apache user manual content
  • Comment out any Server Status handler configuration

# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the “.example.com” to match your domain to enable.
#
##<Location /server-status>
## SetHandler server-status
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>

  • Comment out any Server Information handler configuration

# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the “.example.com” to match your domain to enable.
#
##<Location /server-info>
## SetHandler server-info
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>

Default Apache Content

The default content such as icons should be removed from on the web server. If removed, it is not possible for attackers to scan for icons or special content specific to the server type and version.

Solution:
In the Httpd.conf file,the following line should be commented out:
# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>