Completely hide server name apache

To confuse the hacker and guess what Linux OS or what version of Apache he is using. You can change the Apache server name to whatever you want.

For ubuntu 20.04:

Apache default configuration:

$ sudo apt install apache2 -y

$ curl -I localhost

HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 01:31:44 GMT
Server: Apache/2.4.41 (Ubuntu)

Change the Apache server name to whatever you want:

$ sudo apt install libapache2-mod-security2

$ sudo a2enmod security2

$ sudo vim /etc/apache2/conf-available/security.conf

ServerTokens Full

ServerSignature Off

SecServerSignature Microsoft-IIS/10.0

$ sudo systemctl restart apache2

$ curl -I localhost

HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 01:54:00 GMT
Server: Microsoft-IIS/10.0

If the SecServerSignature option is set to SecServerSignature " " This completely hides the apache server name.

$ curl -I localhost

HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 02:39:50 GMT
Server:

Apache on its own cannot completely unset the Server header (not even with mod_headers).

This appears to be by design, as discussed by the Apache devs.

There is a way to do this using ModSecurity, but I know little about that. Instead, these people have it all figured out already:

https://unix.stackexchange.com/questions/124137/change-apache-httpd-server-http-header

I can verify that this works, just tried on Debian 7.6.

edit: install mod security for apache and then add this in your apache2.conf.

<IfModule security2_module>
    SecRuleEngine on
    ServerTokens Full
    SecServerSignature " "
</IfModule> 

After this restarting the apache, Server header will disappear