TL;DR
Your AWS Load Balancer might be revealing your backend Apache server version in the response headers, which is a security risk. This guide shows you how to hide it.
Solution Guide
- Understand the Risk
- Exposing your Apache server version gives attackers information about potential vulnerabilities they can exploit.
- It’s a simple step to improve your overall cyber security posture.
- Connect to the EC2 instance running Apache using SSH. You’ll need your key pair and appropriate permissions.
- The main configuration file is usually located at
/etc/httpd/conf/httpd.confor/etc/apache2/apache2.conf, depending on your Linux distribution (Amazon Linux vs Ubuntu etc.). Use a text editor likenanoorvim. -
sudo nano /etc/httpd/conf/httpd.conf
- Find the line containing
ServerTokens. It might be commented out (starting with a #). - Change it to:
ServerTokens Prod. This will only show ‘Apache’ in the server header, hiding version details. - If the directive doesn’t exist, add it anywhere within the main configuration file outside of any <VirtualHost> blocks.
- Find the line containing
ServerSignature. It might be commented out. - Change it to:
ServerSignature Off. This removes the Apache version from error pages. - If the directive doesn’t exist, add it anywhere within the main configuration file outside of any <VirtualHost> blocks.
- After making changes, restart the Apache service for them to take effect.
-
sudo systemctl restart httpd(Amazon Linux) or
sudo systemctl restart apache2(Ubuntu)
- Use a tool like
curlto check the response headers. -
curl -I http://your-load-balancer-dns-name - Look for the
Server: Apacheheader. The version number should no longer be present.
- If you have multiple EC2 instances behind your load balancer, repeat steps 2-6 on each instance.