I’m just finishing up configuring apache and I wanted to touch on the concept of “Security through obscurity“. Which is defined as

Security through (or by) obscurity is a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.

My previous post regarding the Cal Poly Electrical Engineering department and their server touched upon hiding the server version and mods through ServerToken. While that works your server’s headers still read “Apache”. Luckily this is easy to fix by installing mod_security.

If you are running Ubuntu do the following:

Install mod_security

sudo apt-get -y install libapache-mod-security

Create /etc/apache2/conf.d/modsecurity2.conf with the following data:

<ifmodule mod_security2.c>
SecServerSignature "Replace this with what you want your server to appear as"
</ifmodule>

Enable mod_security

sudo a2enmod mod-security

Warning: The mod_security instructions say set to ServerTokens Full but DO NOT DO THIS! This causes your apache mods to be displayed.
In your apache2.conf (located in /etc/apache2) set ServerToken to OS

ServerTokens OS

I should note two things.
1. mod_security is a great tool. We only used one feature of it. I suggest you follow bodhi.zazen’s tutorial to further configure it.
2. Security by ONLY obscurity is dangerous. You should never rely on it and it should only be the first line of defence in securing your site.