Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : Change Apache Version Header

[Scott.Mc]

If you wish to set your own server version for Apache too somthing else that maybe fits into your company name, its actually a very simple process but it does involve adjusting the apache source.

An example of what it looks like after you have edited is google.com

Code:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: GWS/2.1
Content-Length: 0
Date: Wed, 16 Nov 2005 21:33:28 GMT

As you see it returns GWS, speculation says its Google Web Server however watching as the versions go on they match the Apache releases, so they either use a heavily modded apache version or just the simple change that I am about too show.

Apache does have this feature somewhat built in already and all we are changing is one line.

Code:

if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
    }
    else if (ap_server_tokens == SrvTk_MINIMAL) {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
    }
    else if (ap_server_tokens == SrvTk_MINOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
    }
    else if (ap_server_tokens == SrvTk_MAJOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
    }
    else {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
    }

This is where it sets the product version, and if you set it to Prod it will only return the base_product with nothing else, so all we have to do is adjust the base_product. Anyway enough babbling and lets get straight too the point.

Firstly, you will need to grab a copy of apache from http://www.apache.org,

wget http://www.mirror.ac.uk/mirror/ftp.a....9-beta.tar.gz
tar -zxvf httpd-2.1.9-beta.tar.gz
cd httpd-2.1.9-beta

Now we need to modify include/ap_release.h before compiling

nano include/ap_release.h

Find

#define AP_SERVER_BASEPRODUCT "Apache"

and replace it with

#define AP_SERVER_BASEPRODUCT "HostGeekZ"

Obviously replacing HostGeekZ with the version you wish too use.

Now compile and install apache

./configure --prefix=/usr/hostgeekz
make
make install

Obviously add whatever is required, ie --with-curl --with-mysql and so on too your configure line.


Now want to set httpd.conf to read the first statement of server_baseproduct only to do this open httpd.conf, the path will depend on what you set --prefix too, as we used /usr/hostgeekz this is where httpd.conf will be

nano /usr/hostgeekz/conf/httpd.conf

Now find

ServerSig
and set this too

ServerSig off

Then add this below

ServerTokens Prod

Then start apache, you are now complete and it should return

Code:

Server: HostGeekZ

Updated versions of this guide may be found Here

[damainman]

What if you compile apache using cpanels /easyapache ?

[Steven]

it can be done using mod_security

[JVS_Hosting]

Yes Steven and scott are both right. It can be done either way. But to the newer apache admin, i would recomend what steven said, install and configure mod_security to do this. The secfilter you will need is as such;

SecServerSignature "IIS 4.0" Which will confuse people into thinking that the server itself is that of microsofts * AHEM * Wonderful IIS * AHEM *

[learnerman]

Quote:

it can be done using mod_security

The newest versions of mod_security disabled that rule !!
i read that at change log !

[JVS_Hosting]

I cant belive they would disable that feature?! That is one of the most important features mod_security has to offer, by spoofing the ident of the server decreases the risk of being exploited to a unknown vunerability! Im outraged! Do you or any of you have the direct link to that change log ??

[zoid]

They obviously removed the feature that it advertises itself in the header.

Quote:

Prior to 1.9 ModSecurity supported the SecServerResponseToken directive. When used, this directive exposed the presence of the module (with the version) in the web server signature. This directive no longer works in 1.9. If used, it will emit a warning message to the error log. This directive was completely removed from 2.x onwards.

But I couldnt find any sign that they removed the ability to change the actual server string.

Quote:

7/3/2006 2.0.0-dev1
-------------------

* Added SecDataDir, SecIpInfo.

* Implemented garbage collection for the IP DB: implicitely,
once in every 100 requests, or explicitely via the
/rpc/ipinfo/removeStaleEntries?timeout=X (seconds) RPC call.
The timeout value is set to 900 seconds by default but can
be changed with SecIpInfoTimeout.

* Added IPINFO API. Assuming handler "mod-security-handler" is
set for /modsec/, functions GET /modsec/rpc/ipinfo/getEntry?addr=X
and POST /modsec/rpc/ipinfo/removeEntry?addr=X are implemented.
Also added blockAddress?addr=X&duration=Y&message=Z and
unblockAddress?addr=X.

* Implemented transaction scoring: variable TX_SCORE, action
"txscore" (examples: txscore:0, txscore:+5, txscore:-5).

* Added functions for string comparison (eq) and numerical
comparison (lt, le, gt, ge).

* Added support for IP address scoring: variable IP_SCORE,
action "ipscore" (examples: ipscore:0, ipscore:+5, ipscore:-5),
directive SecIpScoreHalflife.

* Added support for functions.

* Implemented RBL check as a first function. Usage example:
SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org"

* Removed obsolete features: 1) Execution through suEXEC, 2) DynamicOnly,
3) SecServerResponseToken.

* SecFilterOutputMimeTypes now accepts multiple parameters, ie instead
of 'SecFilterOutputMimeTypes "one two three"' one should use
'SecFilterOutputMimeTypes one two three', or 'SecFilterOutputMimeTypes one \
SecFilterOutputMimeTypes two \ SecFilterOutputMimeTypes three' (yes, three
lines). Also added SecFilterOutputMimeTypesClear.

* Rewritten the output buffering code. It's more robust now and consumes
less memory. Also added SecFilterOutputSizeLimit.

* Added support for IP address blocking. Added action "block:DURATION". Also
added variables IP_IS_BLOCKED and IP_BLOCK_MESSAGE. (IP addresses are not
implicitly blocked. A rule must be put in place to block them.)

* Added support for multiple messages per transaction.


6/3/2006 1.9.3-rc1
------------------

* Improved the internal chroot feature to work with mod_fastcgi,
mod_fcgi, mod_cgid (testers welcome).

* Response headers are now escaped in the concurrent audit log

* New action: logparts (adjust the audit log parts setting).

* Added support for multiple messages per transaction.

* Added SCRIPT_BASENAME, REQUEST_BASENAME.

* Implemented variable caching to reduce memory consumption. Large memory
savings can be achived but only when the rule set is significantly
large. Not noticable for "normal" installations.

* Fixed the "Server" trailer message in the concurrent audit log.

* Removed the extra newline added to the index file by the concurrent
audit logger.

* Fixed a problem in the action list parser which caused parsing
to stop after any action with a quoted parameter.

* (Apache 2.x only) Fixed a response buffering problem that
manifested as partial loss of output when virtual subrequests
are used (it is the output from the virtual subrequests that
would be lost).

* Deprecated DynamicOnly because it is inherently difficult
to use and often unpredictable.


16/1/2006 1.9.2
---------------

* Increased allowed multipart header size to 4096.

* Fixed small bugs in the multipart code that would (in some
rare cases) lead to incorrectly interpreting the uploaded
files.

* (Apache 2.x only) Fix for a crash in the serial audit logger.

* (Apache 2.x only) Fix to compile on Debian 3.1 (they are not using
stock Apache).

* Fixed a small concurrency issue.

* Chained rules metadata now appears in the logs.

* Restrict the length of each line in the concurrent audit
logger index when logging over a pipe.

* New concurrent audit logger trailer headers: Server, Action, Producer.

* Added compile-time directive (DISABLE_SUEXEC) to disable
process creation through suEXEC.

* Added support for compilation with PCRE (instead of the
native Apache regex library) to the Apache 1.3.x version
(Apache 2.x already uses PCRE). PCRE is much faster.

* Fixed a bug in the concurrent audit logging code where partial
audit log entry files were being created for all requests.

* Fixed bugs (in the Apache 2.x branch) to make audit logging
through a pipe work.

[aymax]

in my linux box
i install
Change Apache Version Header script
by
wget
web url >>> people.apache.org/~pquerna/dev/httpd-2.2.0/httpd-2.2.0.tar.gz
and
tar -zxvf httpd-2.2.0.tar.gz
cd httpd-2.2.0
and modify include/ap_release.h before compiling
nano include/ap_release.h
Find
#define AP_SERVER_BASEPRODUCT "Apache"
and replace it with
#define AP_SERVER_BASEPRODUCT "xxx"

and compile and install apache
./configure --prefix=/usr/local/apache/
make
make install
and after that
edit my httpd.conf file
ServerSig off
Then add this below
ServerTokens Prod
after restart my apachi i got this error
httpd: Syntax error on line 225 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/libexec/mod_rewrite.so into server: /usr/local/apache/libexec/mod_rewrite.so: undefined symbol: ap_user_id
So please help me