How to Disable Apache Version Number Disclosure on FileWave Server

What

FileWave Server can expose Apache version details in its HTTP response headers by default. This article shows how to reduce that disclosure so the server reports only Apache instead of the full component and version string.

When/Why

Use this when you want to reduce unnecessary version disclosure on a FileWave Server. Exposing detailed version information can make targeted reconnaissance easier, so tightening the Apache response is a reasonable hardening step.

Date: Fri, 14 Jul 2023 00:05:55 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/3.0.9 mod_wsgi/4.9.4 Python/3.10
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Length: 362

This information is disclosed when the HEAD / HTTP/1.0 command is sent to the server (using telnet on port 443). Revealing version numbers can potentially expose the server to targeted attacks, as this information helps attackers focus their efforts.

How

1. SSH into your FileWave server. If you are unsure how to do this, contact FileWave Technical Support.
2. Open /usr/local/filewave/apache/conf/httpd_custom.conf in a text editor, for example:

sudo vi /usr/local/filewave/apache/conf/httpd_custom.conf

3. Add these lines to the file:

ServerTokens Prod
ServerSignature Off

4. Save the file.
5. Restart Apache:

fwcontrol apache restart

After the restart, the same HEAD / HTTP/1.0 test should return a shorter Server header similar to this:

HTTP/1.1 400 Bad Request
Date: Fri, 14 Jul 2023 00:11:38 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Length: 362

Related link:

• FileWave Technical Support