By default, Apache proudly tells everyone that it is your web server, along with such specifics as exactly which version you are using and even the versions of the individual modules. As friendly as this is, it's not particularly secure. So how do you get it to be a little less forthcoming with this information?
HTTP response headers
The HTTP headers are a good place to start. Every time someone asks your server for a file, they get these headers back first, including one identifying the server. This will say something like
Apache/1.3.29 (Unix), or, even worse,
Server: Apache/1.3.29 (Unix) mod_gzip/220.127.116.11a mod_perl/1.29. Thankfully, changing the server header to something a bit more subtle is pretty easy. Just slip the following line into your
This replaces the detailed information with a simple
The other place where Apache tends to divulge too much information is the footer of error responses, such as the dreaded 404 page. You can turn off the footer from
.htaccess, so even if you don't have access to
httpd.conf you can still turn it off for your own website. If you do have access to
httpd.conf, it's probably a good idea to turn it off there, so that the change is global. Again, only one line needs to be added:
Once you have added the two lines to
httpd.conf, restart Apache (If you just added the one line to
.htaccess, you don't need to restart anything; the change should take effect immediately). Apache should no longer divulge its exact version number at the drop of a hat, let alone a list of the modules you are using with it. Of course, this won't deter people who are serious about breaking into your site, but at least it'll keep the script kiddies at bay.