Altering the Apache Identity with mod_security

by Mike on April 28, 2009 · 1 comment

in Web Server

Changing Web Server Identity
One aspect of hardening your server is to provide as little information as possible to attackers about the web server and version that you are using.  Apache itself does not provide a method of controlling all of the content given I the server header field.  As a result you will need to look to mod_security to help change your identity.  About the best you can do, with the minimum input, is to change the web server identity so that automated attacks are fooled.  Determined attackers will be able to do OS fingerprinting to see that the server is some type of Linux OS but they will still be left in the dark about the web server and version.


Modsecurity makes the changes to the identity of the server by finding where the identity is kept in memory and overwriting it with a text string.  The reason the ServerTokens must be set to “Full” is to provide enough space to change the letters in the name.

SecServerSignature “Microsoft-IIS/5.0” Be sure that Apache ServerTokens are set to the default “Full”.  This allows you to change the signature that is returned when an error is encountered.  It requires a string.

nmap -A -T4 -F
Starting Nmap 4.85BETA6 ( ) at 2009-04-26 09:25 MDT
Interesting ports on
Not shown: 97 filtered ports
80/tcp  open   http    Microsoft IIS webserver 5.0
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (96%), Linksys embedded (91%), Xerox embedded (91%), Linksys Linux 2.4.X (91%)
Aggressive OS guesses: Linux 2.6.9 – 2.6.25 (96%), Linux 2.6.9 – 2.6.26 (96%), Linux 2.6.9 – 2.6.15 (95%), Linux 2.6.18 (CentOS 5.2) (93%), Linux 2.6.13 – 2.6.27 (93%), Linux 2.6.18 (Debian 4, VMware) (93%), Linux 2.6.9 – 2.6.27 (93%), OpenVZ Linux virtualization kernel (Linux 2.6.18-028stab045) (93%), Linux 2.6.24 (92%), Linux 2.6.15 – 2.6.22 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds

Previous post:

Next post: