Security by Obscurity: Or How to Run Your Server on Caffeine

In a perfect world you should be ok with whatever default configuration your server comes with. You install your server – set a decent iptables rules and you should be good to go as long as you do regular updates. But we don’t live in a perfect world and the default server configurations are almost always not the best configuration, more so when it comes to security. One of the many ways an attacker plots their attack is by gaining as much information they can get about the server software and more specifically which version of the package they are running. Some of these packages may have very well known exploits in the wild which can be used to compromise the server. Of course if you are running a version of the server package that has well-known exploits in the wild, obscuring server signature will only delay the inevitable.

But even when you are running a patched and up to date version of the server, obscuring your server signature adds a layer of protection on an already secured system. Most people who argue against security by obscurity, fear that this will only make people lazy towards implementing standard security practices. To them I have to say that “You can’t cure stupidity”.

 

Changing Server Signature with mod_security

ModSecurity works like a firewall for Apache, it checks, logs and prevents malicious activity using a set of rules. Unfortunately libapache2-mod-security package have been removed from debian/Ubuntu repositories so you will need to manually download the package and install it, which is as simple as selecting the right package for your platform and installing it with dpkg. Installing from source can be a bit tricky but its worth the trouble. After you have successfully installed mod_security you will need to reload/restart apache for changes to take effect.

To configure custom Server Header, edit your apache configuration file (usually apache2.conf) and turn off ServerSignature and add a new entry called “SecServerSignature” followed by the custom server information you want to reveal to the outside world. The best practice is to use a very obscure server name or version that doesn’t exist (i.e. Apache 3.9). But you can also show off to your friends (or baffle script kiddies) with funny entries:

1: ServerSignature Off 2: SecServerSignature “This Server is running on Caffeine.”

Need apache reload to take effect.

You can use services like securi.net to instantly check if your custom server signature is actually working: