Such an open access point could be a trap set up by a knowledgeable person with bad intentions, with proper tools they can not only log all your online activities but can also gain access to your email, bank or financial website information that you access to using their internet connection. A smart and capable hacker can hijack your session when you are connected to your bank or email account without actually having username and password for your account. For some sites without proper security measures username and password can be viewed in plain text using a sniffer, as shown below.

In the above demonstration as you can see with the correct tools (in this Cane and Abel) anyone can sniff out critical access informations to websites you visit. Please note that the above example  is just a demonstration and banks usually don’t pass plaintext username and password like shown here.

To protect yourself, avoid connecting to open Wi-Fi access point, whether you know the source or not. If you absolutely have to connect to an open relay, try to avoid logging to password protected websites.

In a perfect world you should be ok with whatever default configuration your server comes with. You install your server – set a decent iptables rules and you should be good to go as long as you do regular updates. But we don’t live in a perfect world and the default server configurations are almost always not the best configuration, more so when it comes to security. One of the many ways an attacker plots their attack is by gaining as much information they can get about the server software and more specifically which version of the package they are running. Some of these packages may have very well known exploits in the wild which can be used to compromise the server. Of course if you are running a version of the server package that has well-known exploits in the wild, obscuring server signature will only delay the inevitable.

But even when you are running a patched and up to date version of the server, obscuring your server signature adds a layer of protection on an already secured system. Most people who argue against security by obscurity, fear that this will only make people lazy towards implementing standard security practices. To them I have to say that “You can’t cure stupidity”.

Changing Server Signature with mod_security

ModSecurity works like a firewall for Apache, it checks, logs and prevents malicious activity using a set of rules. Unfortunately libapache2-mod-security package have been removed from debian/Ubuntu repositories so you will need to manually download the package and install it, which is as simple as selecting the right package for your platform and installing it with dpkg. Installing from source can be a bit tricky but its worth the trouble. After you have successfully installed mod_security you will need to reload/restart apache for changes to take effect.

To configure custom Server Header, edit your apache configuration file (usually apache2.conf) and turn off ServerSignature and add a new entry called “SecServerSignature” followed by the custom server information you want to reveal to the outside world. The best practice is to use a very obscure server name or version that doesn’t exist (i.e. Apache 3.9). But you can also show off to your friends (or baffle script kiddies) with funny entries:

   1: ServerSignature Off

   2: SecServerSignature "This Server is running on Caffeine."

Need apache reload to take effect.

You can use services like securi.net to instantly check if your custom server signature is actually working:

Or Netcraft, which takes few days to update: