Hide Apache Software Version and Module Version

By default, Apache will show its version and moudules installed in HTTP Header and error messages pages. It's vulnerable and dangerous, we need to make changes in Apache main configuration file.

According to your Linux distribution, you can find Apache main configuration here:

/etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
/etc/apache/apache2.conf (Debian/Ubuntu)
 
Edit the Apache configuration file, find and change the following directives. Restart Apache and it's done.

ServerSignature Off
ServerTokens Prod
 
ServerSignature is used to set what to show when there is an error, for example, 404 eror (Page Not Found). There are three values for ServerSignature directive, Off, On and Email. The difference between On and Email is if you choose Email you will see a "mailto:" link to ServerAdmin.

 

The above image is not showing any Apache information, with ServerSignature set to value Off.



The above image is showing Apache and OS information, with ServerSignature set to value Email.

ServerTokens is used to set what to show in HTTP Header and error messages pages, there are six values: ProductOnly, Major, Minor, Minimal, OS and Full. Value Prod is recommended for everyone to set.

 
 
The above image is showing the information with ServerTokens set to vaule ProductOnly.




The above image is showing the information with ServerTokens set to vaule OS.

Comments

Post a Comment

Popular posts from this blog

How to Enable HSTS in Webmin

HSTS, which is short for HTTP Strict Transport Security, is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. This tutorial will help you setting HSTS in webmin. First, navigate to "Servers"-->"Apache Webserver", click the virtual server with SSL enabled which you want to edit. Then click "Edit Directives" to edit configuration file manually. Second, add the following configs to the bottom of the file. Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" Click "Save and close" and restart Apache by clicking the "Apply Changes" on the top right. It's done and now HTTP Strict Transport Security has been enabled. You can run a ssl test here to find if it was enabled.
Read more

ONE-CLICK L2TP/IPSec VPN Installer

Today, I am sharing you a one-click l2tp vpn installer. It's pretty easy to install and use. Before you run the script, make sure that your VPS is not a OpenVZ VPS. This script has been installed on Vultr successfully. Step 1 Run the following commands one by one. wget --no-check-certificate https://raw.githubusercontent.com/teddysun/across/master/l2tp.sh chmod +x l2tp.sh ./l2tp.sh Step 2 Input the information needed according to the instruction the script given. For example, IP range, PSK, username and password. Several minutes later, your L2TP/IPsec VPN server is running. Step 3 If you want to add and delete users, here is a list of commands. l2tp -a : Add a user l2tp -d : Delete a user l2tp -m : Modifies all the passwords of existing users l2tp -l : List all the username and passwords l2tp - h : Help This script of one-click l2tp vpn is pretty straight forward, give it a try, and you will find it is a time saver.
Read more

Alphabet Sold Google Domains to Squarespace

Image
According to Squarespace's press release , Alphabet sold Google Domains assets to them, and the transaction will be completed in the third quarter. The transaction involves 10 million domain names, under the terms of the agreement, Squarespace will honor all existing Google Domains customers' renewal prices for at least 12 months following the closing of the transaction. There will be seamless transfer between them, and there will not be much impact on users. The Google Domains business started in 2014, the word beta was removed in 2022, and it was sold in 2023, which lasted for 9 years. Domain name registration is an important web infrastructure, just like CloudFlare, which is a CDN provider, has also started a domain name hosting service. For Alphabet has Google Cloud service, it is reasonable to have this part of the infrastructure. From what I know of Google's business, there are at least 3 places where domain name registration can be integrated into Google's exist...
Read more