Skip to main content

How to Disable Apache Version Number Disclosure on FileWave Server

What

TheFileWave Server can expose Apache instance in FileWave can sometimes disclose version numbersdetails in its HTTP response headers.headers by default. This article outlinesshows how to reduce that disclosure so the stepsserver toreports disableonly thisApache disclosure, thereby enhancing the securityinstead of the FileWavefull Server.component and version string.

When/Why

ThisUse action is recommendedthis when youryou goal iswant to improvereduce theunnecessary securityversion ofdisclosure youron a FileWave instance.Server. Initially,Exposing Apache may disclose specificdetailed version information incan itsmake responses,targeted likereconnaissance ineasier, so tightening the exampleApache below:response is a reasonable hardening step.

Date: Fri, 14 Jul 2023 00:05:55 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/3.0.9 mod_wsgi/4.9.4 Python/3.10
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Length: 362

This information is disclosed when the HEAD / HTTP/1.0 command is sent to the server (using telnet on port 443). Revealing version numbers can potentially expose the server to targeted attacks, as this information helps attackers focus their efforts. Disabling this function is a recommended best practice in the security community.

How

Please follow the steps below to disable Apache version number disclosure:

  1. SSH into your FileWave server. If you are unsure how to do this, please request assistance fromcontact FileWave Technical Support.
  2. UseOpen /usr/local/filewave/apache/conf/httpd_custom.conf in a commandtext likeeditor, for example:
sudo vi /usr/local/filewave/apache/conf/httpd_custom.conf
    Add these lines to open the Apache configuration file in a text editor.file: Insert these two lines into the configuration file: 
    ServerTokens Prod
ServerSignature Off
    1. Save the file with the updated lines.file.
    2. Restart ApacheApache:
    with the following command: 
    fwcontrol apache restart
.

    After followingthe these steps, if you runrestart, the same HEAD / HTTP/1.0 test (usingshould telnetreturn ona portshorter 443),Server the response from Apache will no longer include specific version numbers. It will lookheader similar to the following:this:

    HTTP/1.1 400 Bad Request
Date: Fri, 14 Jul 2023 00:11:38 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Length: 362

    Remember to always prioritize the security of your FileWave instance. If you have further queries or concerns, please don't hesitate to reach out to our Technical Support Team.

    Back to top