Skip to main content

How to Disable Apache Version Number Disclosure on FileWave Server

What

The Apache instance in FileWave can sometimes disclose version numbers in its HTTP response headers. This article outlines the steps to disable this disclosure, thereby enhancing the security of the FileWave Server.

When/Why

This action is recommended when your goal is to improve the security of your FileWave instance. Initially, Apache may disclose specific version information in its responses, like in the example below:

Date: Fri, 14 Jul 2023 00:05:55 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/3.0.9 mod_wsgi/4.9.4 Python/3.10
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Length: 362

This information is disclosed when the HEAD / HTTP/1.0 command is sent to the server (using telnet on port 443). Revealing version numbers can potentially expose the server to targeted attacks, as this information helps attackers focus their efforts. Disabling this function is a recommended best practice in the security community.

How

Please follow the steps below to disable Apache version number disclosure:

  1. SSH into your FileWave server. If you are unsure how to do this, please request assistance from FileWave Technical Support.
  2. Use a command like sudo vi /usr/local/filewave/apache/conf/httpd_custom.conf to open the Apache configuration file in a text editor.
  3. Insert these two lines into the configuration file:
    ServerTokens Prod
    ServerSignature Off
    
  4. Save the file with the updated lines.
  5. Restart Apache with the following command: fwcontrol apache restart.

After following these steps, if you run the HEAD / HTTP/1.0 test (using telnet on port 443), the response from Apache will no longer include specific version numbers. It will look similar to the following:

HTTP/1.1 400 Bad Request
Date: Fri, 14 Jul 2023 00:11:38 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Length: 362

Remember to always prioritize the security of your FileWave instance. If you have further queries or concerns, please don't hesitate to reach out to our Technical Support Team.