This tutorial will guide you how to change Apache default server header name to anything you want so you can trick visitors or just to show off. The word “any” here I mean any name you can use. You can simply change Apache to Nginx, LightTpd, LiteSpeed or even your own name like Sawiyati. The purpose is to trick anyone who wish to peek what kind of web server you are using. For you who even didn’t know yet how to peek someone’s website to find out what kind of web server used, I told you the two easiest ways:
#1 – Using CentralOps
Go visit CentralOps.net, type the domain name or ip address of the website or server you wish to find out what kind of web server it is running on port 80 (http) then tick mark the “Service Scan” option. Finally hit the Go button.
The result, you’ll not only see what kind of Web Server a website is running but also its FTP server and mail transfer protocol (SMTP, POP3 and IMAP):
#2 – Using Firefox Addon: Domain Details
If you are using Firefox as your favorite wen browser, you can install additional addon called “Domain Details” which you can download here. This addon displays Server Type, Headers, IP Address, Location Flag, and links to Whois Reports. Shows links to check server status and cache when page fails to load.
And if you clicked on the Web Server name, it will display another popup window with all other HTTP header details:
Change Apache Server Header Using ModSecurity
Installing Mod_Security module is good not only to add additional protection for your server but also give you some other advanced options. One of cool stuff is ability to change, hide, or I may say mask original server header. Shortly, we can change Apache name to whatever name you like.
Step 1 – Setup your server with LAMP Stack (CentOS / Ubuntu)
Step 2 – Install ModSecurity with OWASP SCR module.
Step 3 – Now edit ModSecurity-CRS config file. I use my favorite editor, Nano:
Step 4 – Then add this line in the Rule Version (basically anywhere but I prefer to put it there):
change “your-own-name” with whatever name you like. Example:
Once done save that file. Or if you are also using Nano, hit Control+O then Control+X.
Step 5 – Finally restart your Apache web server service:
service httpd restart
That’s it. Now test it again and it is now showing your defined name instead of Apache.
p.s: You can change Apache server header name to / replace it with other HTTP server name like Nginx, Lighttpd or LiteSpeed just to trick / to fool anyone who want to peek your server header. But however clever attacker can simply test your site with several error-ism method. Apache, Nginx, Lighttpd, and LiteSpeed each has its own unique error message (error: 404, 403, etc.).
In order for this directive to work you must leave/set
ServerTokens to Full.
Also the tutorial above done in CentOS server. Other Distro can simply adjust the command and directives.