In this article, we are reviewing Apache’s default settings. Apache out-of-the-box will display internal IP addresses, OS version, Apache’s version, Apache modules, and more. On its own, leaking this data is not a big deal, but in combination with other information, it may enable an Attacker. Regardless, we should always try to minimize the data we are giving out about our systems.

This article is the second in the Diamond Hard LAMP series.

Default Site Index & Error Pages

What’s the first thing an Attacker will do after port scanning an IP and discovering port 80 or 443 open? Easy, the Attacker will open the server IP in a web browser. Here the Attacker will find the details about the server software versions, and this is the first step in exploiting the system. With the version numbers, an Attacker can search for known vulnerabilities in Apache, our OS, and modules. To prevent this we will add new default site error files that will replace the standard error messages. The new error pages will give away no details about the system. Run the below commands to produce the new simple error pages.

echo "<h1 style='color:red'>Error 404: Not found :-(</h1>" > /var/www/html/custom_404.html
echo "<p>Sorry, but I cannot find that file..  Are you sure you typed in the correct URL?</p>" > /var/www/html/custom_404.html
echo "<h1 style='color:red'>Error 404: Not found :-(</h1>" > /var/www/html/index.html
echo "<p>Sorry, but I cannot find that file...  Are you sure you typed in the correct URL?</p>" > /var/www/html/index.html
echo "<h1>Bonk! Something went wrong...</h1>" > /var/www/html/custom_50x.html
echo "<p>Hmm.. We seem to be having some technical difficulties. Hang tight.</p>" > /var/www/html/custom_50x.html

Now we need to edit the “/etc/apache2/sites-available/000-default.conf” file to use the new error pages we added. Edit the “000-default.conf” file to match the below text.

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog \${APACHE_LOG_DIR}/error.log
	CustomLog \${APACHE_LOG_DIR}/access.log combined    
	ErrorDocument 401 /custom_404.html
	ErrorDocument 403 /custom_404.html
	ErrorDocument 404 /custom_404.html
	ErrorDocument 405 /custom_404.html
	ErrorDocument 410 /custom_404.html
	ErrorDocument 411 /custom_404.html
	ErrorDocument 412 /custom_404.html
	ErrorDocument 413 /custom_404.html
	ErrorDocument 414 /custom_404.html
	ErrorDocument 415 /custom_404.html
	ErrorDocument 500 /custom_50x.html
	ErrorDocument 502 /custom_50x.html
	ErrorDocument 503 /custom_50x.html
	ErrorDocument 504 /custom_50x.html

Lets take a look at the differences the changes made.


Prevent Apache Header and Footer Data Leaks

Apache by default leaks the server’s OS-type and enabled Apache modules data in the way it responds to HTTP requests. This allows port scanners like Nmap to quickly determine the OS and Apache version. So when a vulnerability is discovered in Apache, the vulnerable system can be quickly found and exploited by malicious bots online. To prevent this we just need to modify two simple configuration settings.

ServerSignature Directive

The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, …). The reason why you would want to enable such a footer line is that in a chain of proxies, the user often has no possibility to tell which of the chained servers actually produced a returned error message.
ServerTokens Directive

This (ServerTokens) directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

ServerTokens & ServerTokens Config Fixes

Just add the two below lines to the bottom “/etc/apache2/apache2.conf” file. After the changes restart Apache.

ServerTokens Prod
ServerSignature Off 

Now that we have made our changes to ServerTokens & ServerTokens, let’s test with Nmap to see the difference.

Final Notes

This hardening method is not a surefire way of preventing a server’s Apache version, module versions, or internal IP from leaking. We are just making that data harder to find, and harder for automated attacks against us.