Making Your Server More Stealthy – Version Wise
As far as security is concerned actually advertising what software versions are running on your site is not favorable. With most any software, whether its open source or not, if there is a bug that is exploitable and its noted on the manufacturers/projects website, there is very likely to be a version number associated with it. With that being the case, if your server software responds with “Apache/2.2.0″ as the description of itself this can tell everyone if your a vulnerable or not. To obfuscate this a bit I suggest setting the following items in your Apache config:
ServerSignature Off ServerTokens Prod
The first setting above will obviously turn the server signature off which is displayed at the bottom of the server generated pages – like error pages or directory listings. The second setting will limit the HTTP response header to just include “Apache” as opposed to “Apache/2.2.0″. There is a similar setting in lighttpd:
server.tag = "lighttpd"
This will make the same “Server:” response header be whatever that variable is set to, in this case just “lighttpd” which again just removes the software version.
Along these lines is hiding that PHP actually exists on your system. To do this changing “expose_php” within your php.ini to Off will remove any header response that you are actually running PHP.