Locking down Apache Web Server

Written by  on July 23, 2009

I was just looking through a security audit of some sites, and half of the complaints include “the ability for people to know your underlying technology”. For those who are using Apache 1.3 or above (and using a distro that has configuration files in /etc/httpd/conf.d), you will find this solution helpful. Simply create a file called /etc/httpd/conf.d/0-security.conf with the below content:

ServerSignature Off
ServerTokens Prod
TraceEnable Off
<Directory />
<LimitExcept POST GET HEAD>
Order deny,allow
Deny from all

Save it, restart httpd and you are “more” protected… a few notes:

  1. This assumes that your application will only use GET, POST or HEAD. If your application is fancy (or you don’t know your app, then you might want to get rid of the LimitExcept directive)
  2. If your application (or application container such as PHP, Python or Java) generates additional HTTP headers that identify their technology, then you might want to use mod_headers to them.
  3. Anyone with an ounce of network knowledge would know that you can figure out the underlying technology by probing at the TCP layers (nmap with the OS fingerprinting option is very handy). So don’t let auditors fool you – you can’t hide unless you have a security device in front of your servers that remove traces of OS “uniqueness” in layer 3.