Senin, 05 Agustus 2024

Remove Server Name From Apache Response Header (Apache/xxx ) Ubuntu

1. Open Apache Config File

Open terminal and run the following command to open Apache main configuration file.

CentOS/Fedora:

$ sudo vi /etc/httpd/conf/httpd.conf

Ubuntu/Debian:

$ sudo vi /etc/apache2/apache2.conf

Bonus Read : How to Enable GZIP Compression in Apache

2. Turn Off Server Signature

Add/modify the following lines to hide server information in Apache.

ServerSignature Off
ServerTokens Prod

ServerSignature – appears at the bottom of server generated pages such as error pages, directory listings, etc. It takes On/Off/EMail values, where EMail shows a “mailto:” reference to Site Admin’s email.

ServerTokensServerTokens decides what Apache will send back in response headers. It takes the following values

ServerTokens Full (or not specified)
Response to clients: Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

ServerTokens Prod[uctOnly]
Response to clients: Server: Apache

ServerTokens Major
Response to clients: Server: Apache/2

ServerTokens Minor
Response to clients: Server: Apache/2.4

ServerTokens Min[imal]
Response to clients: Server: Apache/2.4.2

ServerTokens OS
Response to clients: Server: Apache/2.4.2 (Unix)

Bonus Read : How to Install mod_evasive in Apache

If you want to disable server signature in WordPress or turn off server signature in CPanel, then you will have to remove Apache server using .htaccess file, since you may not have access to Apache’s main configuration file.

Open CPanel, locate .htaccess file and edit it. Add the following 2 lines to .htaccess file

ServerSignature Off
ServerTokens Prod

Bonus Read : How to Move Apache Web Root to New Location

3. Restart Apache Server

Restart Apache Server to apply changes

$ sudo systemctl restart apache2 #SystemD
$ sudo service apache2 restart #SysVInit
Diposting oleh di Tidak ada komentar:

Disable TLS 1.0 and 1.1 in Apache

Check Enabled SSL/TLS Versions

Online Tools

You can quickly check the versions of SSL/TLS your website supports by visiting CDN77’s TLS Checker and entering the domain name you’d like to check. As can be seen below, https://example.com currently disables SSL versions 2 and 3, but enables all versions of TLS (including the deprecated TLS 1.1 and 1.0):

Nmap

You can also check for the SSL/TLS versions and ciphers supported by a website with the open-source nmap command-line tool:

nmap --script ssl-enum-ciphers -p <PORT> <DOMAIN NAME>

The default port for SSL/TLS is 443

. The command below will generate a report for example.com:

$ nmap --script ssl-enum-ciphers -p 443 example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-25 13:10 EDT
Nmap scan report for example.com (93.184.216.34)
Host is up (0.031s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds

Server Configuration

Apache

To disable TLS 1.0 and 1.1 in Apache, you will need to edit the configuration file containing the SSLProtocol

directive for your website. This file may be located in different places depending on your platform, version, or other installation details. Some possible locations are:

  • /usr/local/apache2/conf/extra/httpd-ssl.conf
    (default Apache installation)
  • /etc/apache2/mods-enabled/ssl.conf
    (Ubuntu/Debian)
  • /private/etc/apache2/extra/httpd-ssl.conf
    (macOS)

When you have located the correct configuration file, look for a line beginning with SSLProtocol

. This example, from a default macOS Apache installation, disables SSLv3 with the operator but enables TLS 1.0 and 1.1:

SSLProtocol all -SSLv3

You can disable all obsolete versions of SSL/TLS supported by Apache by specifying them as follows:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

The configuration above enables TLS 1.2, as well as TLS 1.3 if it is available in your environment.

Apache and Virtual Hosts

Apache can run more than one web site on a single server. These virtual hosts may be based on IP number, port, or domain name, and may include settings that override the base configuraton for Apache. For this reason, you should check the settings for each virtual host in your configuration files, especially if your changes to the base SSL/TLS configuration do not seem to be working.

For versions of Apache prior to 2.4.42 (built/linked against OpenSSL before 1.1.1), it was not possible to specify different SSL/TLS protocols for name-based virtual hosts sharing the same base IP number and port – the SSLProtocol

of the first virtual host was applied to all others. Beginning with Apache 2.4.42/OpenSSL 1.1.1, the SSLProtocol of each name-based virtual host is honored when the Server Name Indication (SNI) is provided by the client during the SSL/TLS handshake.

Once you have made your configuration changes, reload Apache to put them into effect. For more information on the SSLProtocol directive, please refer to Apache’s documentation.

sumber : https://www.ssl.com/guide/disable-tls-1-0-and-1-1-apache-nginx/

 

Diposting oleh di Tidak ada komentar:
Langganan: Postingan (Atom)