Ethical Hacker Tip: Hide Your Web Server Info and Use Custom 404

Listen to this Post

Featured Image

You Should Know:

Hiding Apache Version and OS Info

To prevent attackers from exploiting known vulnerabilities in your Apache server version, follow these steps:

1. Edit Apache Configuration:

sudo nano /etc/apache2/apache2.conf

Add these lines at the bottom:

ServerSignature Off
ServerTokens Prod

2. Restart Apache:

sudo service apache2 restart

3. Verify Changes:

curl http://localhost/nonexistentpath -v -A "x"

The output should no longer display server version or OS details.

Setting Up a Custom 404 Page

A default 404 page can still reveal server info. Replace it with a custom page:

1. Edit Apache Configuration:

sudo nano /etc/apache2/apache2.conf

Add or modify:

ErrorDocument 404 /custom_404.html

2. Create a Custom 404 Page:

sudo nano /var/www/html/custom_404.html

Example content:

<!DOCTYPE html>
<html>
<head>
<title>404 Not Found</title>
</head>
<body>

<h1>Oops! Page not found.</h1>

</body>
</html>

3. Restart Apache:

sudo service apache2 restart

For Nginx Users

If using Nginx, hide server info by editing /etc/nginx/nginx.conf:

server_tokens off;

Then restart Nginx:

sudo systemctl restart nginx

Advanced Protection with Fail2Ban

Prevent automated scans by blocking suspicious IPs:

1. Install Fail2Ban:

sudo apt install fail2ban

2. Configure Jail for Apache:

sudo nano /etc/fail2ban/jail.local

Add:

[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/error.log
maxretry = 3

3. Restart Fail2Ban:

sudo systemctl restart fail2ban

What Undercode Say

Hiding server info is a basic but crucial step in hardening web servers. While it doesn’t replace patching vulnerabilities, it reduces exposure to automated attacks. Combine this with:
– Regular updates (sudo apt update && sudo apt upgrade -y)
– Firewall rules (sudo ufw enable)
– Monitoring (sudo tail -f /var/log/apache2/access.log)

For further reading, check:

Expected Output:

After applying these changes, running:

curl -I http://yourserver.com

Should return minimal server info, and accessing a non-existent page should show your custom 404.

Prediction

As automated scanning tools become more sophisticated, obscuring server details will remain a key defense against opportunistic attacks. Expect more AI-driven fingerprinting techniques, making server hardening even more critical.

IT/Security Reporter URL:

Reported By: Activity 7335410342056902657 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram