Removing the version number apache2 and hide version apache2 in Ubuntu

Header retrieval

To get the headers, this seems to work adequately if on the server (all tests done on Ubuntu 14.04 Trusty Tahr):

curl -v http://localhost:80/ | head

which produces something like:

< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:17:51 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)

Removing the version number

To remove the version number, edit the file /etc/apache2/conf-enabled/security.conf and amend the lines:

• ServerTokens OS to ServerTokens Prod
• ServerSignature On to ServerSignature Off

and restart Apache:

sudo service apache2 restart

You should now get the a response like:

< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:20:03 GMT
* Server Apache is not blacklisted
< Server: Apache

Removing the word “Apache”

To remove the word Apache completely, first install ModSecurity:

sudo apt-get install libapache2-mod-security2

The following lines appear to not be required (enabling the module and restarting Apache) but for reference:

sudo a2enmod security2
sudo service apache2 restart

Check that the module is enabled:

apachectl -M | grep security

which should show:

security2_module (shared)

Then although you can amend /etc/modsecurity/modsecurity.conf (by renaming modsecurity.conf-recommended), instead amend /etc/apache2/apache.conf which seems easier (note you can use whatever name you want, in this case I’ve simply used a space):

<IfModule security2_module>
    SecRuleEngine on
    ServerTokens Min
    SecServerSignature " "
</IfModule> 

(Using Min rather than Full also prevents modules such as mod_fastcgi appearing after the blank server name.)

Then restart Apache:

sudo service apache2 restart

Final check

Now when you run the command:

curl -v http://localhost:80/ | head

you should get:

< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:31:11 GMT
* Server  is not blacklisted
< Server: