How to Disable Apache Server Signature on CentOS 8

If you are using an Apache webserver to host your application in the production environment, then it is recommended to disable the Apache server signature to hide the Apache version number. Attackers can use Nmap or another tool to find the Apache version number before performing an attack. After detecting the Apache version number, attackers find the vulnerability of a specific Apache version and perform the attack.

In this post, we will show you how to disable the Apache server signature on CentOS 8.

Step 1 – Install Apache Server

Before starting, the Apache webserver must be installed on your server. If not installed, you can install it with the following command:

dnf install httpd -y

Once installed, start the Apache service and enable it to start at system reboot:

systemctl start httpd
systemctl enable httpd

Step 2 – Verify Apache Server Signature

Next, you will need to check whether the Apache signature is on or off. You can check it by running the following command:

curl --head http://localhost

You should see the following output:

HTTP/1.1 403 Forbidden
Date: Wed, 24 Mar 2021 12:24:45 GMT
Server: Apache/2.4.37 (centos)
Content-Location: index.html.zh-CN
Vary: negotiate,accept-language
TCN: choice
Last-Modified: Fri, 14 Jun 2019 03:37:43 GMT
ETag: "fa6-58b405e7d6fc0;5be475f323d62"
Accept-Ranges: bytes
Content-Length: 4006
Content-Type: text/html; charset=UTF-8
Content-Language: zh-cn

The above output shows the Apache version number that means the Apache signature is enabled in your system.

Step 3 – Disable Apache Signature

You can disable the Apache signature by editing the Apache main configuration file:

nano /etc/httpd/conf/httpd.conf

Add the following line at the end of the file:

ServerTokens Prod

Save and close the file when you are finished. Then, restart the Apache service to apply the changes:

systemctl restart httpd

Step 4 – Verify the Apache Signature

At this point, the Apache signature is disabled on your system. Next, you will need to verify whether the Apache signature is disabled or not.

To check it, run the following command:

curl --head http://localhost

You should see the following output:

HTTP/1.1 403 Forbidden
Date: Wed, 24 Mar 2021 12:26:25 GMT
Server: Apache
Content-Location: index.html.zh-CN
Vary: negotiate,accept-language
TCN: choice
Last-Modified: Fri, 14 Jun 2019 03:37:43 GMT
ETag: "fa6-58b405e7d6fc0;5be475f323d62"
Accept-Ranges: bytes
Content-Length: 4006
Content-Type: text/html; charset=UTF-8
Content-Language: zh-cn

The above output does not show the Apache version, which means the Apache signature is disabled in your system.

Conclusion

In the above guide, you learned how to disabled the Apache signature on CentOS 8. Ideally, this will increase your Apache web server security; try it today on your dedicated server from Atlantic.Net.