Header retrieval
To get the headers, this seems to work adequately if on the server (all tests done on Ubuntu 14.04 Trusty Tahr):
curl -v http://localhost:80/ | head
which produces something like:
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:17:51 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
Removing the version number
To remove the version number, edit the file /etc/apache2/conf-enabled/security.conf and amend the lines:
ServerTokens OStoServerTokens ProdServerSignature OntoServerSignature Off
and restart Apache:
sudo service apache2 restart
You should now get the a response like:
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:20:03 GMT
* Server Apache is not blacklisted
< Server: Apache
Removing the word “Apache”
To remove the word Apache completely, first install ModSecurity:
sudo apt-get install libapache2-mod-security2
The following lines appear to not be required (enabling the module and restarting Apache) but for reference:
sudo a2enmod security2
sudo service apache2 restart
Check that the module is enabled:
apachectl -M | grep security
which should show:
security2_module (shared)
Then although you can amend /etc/modsecurity/modsecurity.conf (by renaming modsecurity.conf-recommended), instead amend /etc/apache2/apache.conf which seems easier (note you can use whatever name you want, in this case I’ve simply used a space):
<IfModule security2_module>
SecRuleEngine on
ServerTokens Min
SecServerSignature " "
</IfModule>
(Using Min rather than Full also prevents modules such as mod_fastcgi appearing after the blank server name.)
Then restart Apache:
sudo service apache2 restart
Final check
Now when you run the command:
curl -v http://localhost:80/ | head
you should get:
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:31:11 GMT
* Server is not blacklisted
< Server:
