Server identity masking
One technique that often helps slow
down and confuse attackers is the web
server identity change. Web servers
typically send their identity with
every HTTP response in the Server
header. Apache is particularly helpful
here, not only sending its name and
full version by default, but it also
allows server modules to append their
versions too.
To change the identity of the Apache
web server you would have to go into
the source code, find where the name
"Apache" is hard-coded, change it, and
recompile the server. The same effect
can be achieved using the
SecServerSignature directive:
SecServerSignature "Microsoft-IIS/5.0"
It should be noted that although this
works quite well, skilled attackers
(and tools) may use other techniques
to "fingerprint" the web server. For
example, default files, error message,
ordering of the outgoing headers, the
way the server responds to certain
requests and similar - can all give
away the true identity. I will look
into further enhancing the support for
identity masking in the future
releases of mod_security.
If you change Apache signature but you
are annoyed by the strange message in
the error log (some modules are still
visible - this only affects the error
log, from the outside it still works
as expected):
[Fri Jun 11 04:02:28 2004] [notice]
Microsoft-IIS/5.0 mod_ssl/2.8.12
OpenSSL/0.9.6b \ configured --
resuming normal operations
Then you
should re-arrange the modules loading
order to allow mod_security to run
last, exactly as explained for
chrooting.
Note
In order for this directive to work
you must leave/set ServerTokens to
Full.
When the SecServerSignature directive
is used to change the public server
signature, ModSecurity will start
writing the real signature to the
error log, to allow you to identify
the web server and the modules used.
It is running right now but I think it is not smart to use another existing servername because you can trigger attack actions. – Codebeat – 2014-05-24T00:56:32.593