By default, Apache provides several bits of information to anyone interested. Any information obtained by attackers helps them build a better view of the system and makes it easier for them to break into the system.
For example, the installation process automatically puts the email address of the user compiling Apache (or, rather, the email address it thinks is the correct email address) into the configuration file. This reveals the account to the public, which is undesirable. The following directive replaces the Apache-generated email address with a generic address:
ServerAdmin webmaster@apachesecurity.net
By default, the email address defined with this directive appears on server-generated pages. Since this is probably not what you want, you can turn off this feature completely via the following directive:
ServerSignature Off
The HTTP protocol defines a response header fieldServer, whose purpose is to identify the software responding to the request. By default, Apache populates this header with its name, version number, and names and version numbers of all its modules willing to identify themselves. You can see what this looks like by sending a test request to the newly installed server:
$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HEAD / HTTP/1.0
HTTP/1.1 200 OK Date: Fri, 19 Mar 2004 22:05:35 GMT Server: Apache/1.3.29 (Unix) Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Fri, 04 May 2001 00:00:38 GMT ETag: "4002c7-5b0-3af1f126;405a21d7" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html Content-Language: en Expires: Fri, 19 Mar 2004 22:05:35 GMT
This header field reveals specific and valuable information to the attacker. You can’t hide it completely (this is not entirely true, as you will find in the next section), but you can tell Apache to disclose only the name of the server (“Apache”).
ServerTokens ProductOnly
We turned off the directory indexing feature earlier when we set theOptions directive to have the valueNone. Having the feature off by default is a good approach. You can enable it later on a per-directory basis:
Automatic directory indexes are dangerous because programmers frequently create folders that have no default indexes. When that happens, Apache tries to be helpful and lists the contents of the folder, often showing the names of files that are publicly available (because of an error) but should not be seen by anyone, such as the following:
Files (usually archives) stored on the web server but not properly protected (e.g., with a password) because users thought the files could not be seen and thus were secure
Files that were uploaded “just for a second” but were never deleted
Source code backup files automatically created by text editors and uploaded to the production server by mistake
Backup files created as a result of direct modification of files on the production server
To fight the problem of unintentional file disclosure, you should turn off automatic indexing (as described in the “AllowOverride directive” section) and instruct Apache to reject all requests for files matching a series of regular expressions given below. Similar configuration code exists in the default httpd.conf file to deny access to . htaccess files (the per-directory configuration files I mentioned earlier). The following extends the regular expression to look for various file extensions that should normally not be present on the web server:
<FilesMatch "(^\.ht|~$|\.bak$|\.BAK$)"> Order Allow,Deny Deny from all </FilesMatch>
TheFilesMatchdirective only looks at the last part of the full filename (the basename), and thus,FilesMatch configuration specifications do not apply to directory names. To completely restrict access to a particular directory, for example to deny access to CVS administrative files (frequently found on web sites), use something like:
<DirectoryMatch /CVS/> Order Allow,Deny Deny from all </DirectoryMatch>
/ 8 
