Disable Server Banners

Most web servers display its version and modules in use by default. Best security practices recommend that you
disable this option, since it can be used to find vulnerabilities of your site.

The NIST Guide for Securing Web Servers also recommends it.

Here is an example of a server banner on Apache with it enabled:

Apache/2.2.22 (Unix)
  mod_ssl/2.2.22
  OpenSSL/0.9.8e-fips-rhel5
  mod_auth_passthrough/2.1
  mod_bwlimited/1.4
  FrontPage/5.0.2.2635
  mod_perl/2.0.5 Perl/v5.8.8

As you can see, it leaks not only the Apache version (in this case outdated), but also the modules being used and their versions. The same applies to NGINX and IIS.

Disabling on Apache

To disable server banners on Apache, you will need to edit your httpd.conf and add:

ServerSignature Off
ServerTokens Prod

If you’re on a shared server, you will need to contact your hosting provider to request they make the necessary change.

Sucuri customers

Note that all WAF users are already protected against this.

If you have any questions, please contact our research team at research@sucuri.net.

Was this article helpful?

Disable Server Banners

Disabling on Apache

Sucuri customers

Popular Articles

How do I find my FTP information?

Sucuri Firewall Troubleshooting Guide

Facebook Unable to Get Page Details

Brute Force

Hardening

Warnings