Server Administration & Management

How to hide Lighttpd software version

Useful: there is really no need to disclose this information to everyone. As shown in “Discover the web server software and version of a remote server” anyone can find valuable information from our web server banner. Hiding it  will not protect in any way from real vulnerabilities if they exist, but it will at least make their life harder. This will also not stop more complex fingerprinting programs to detect some information on the web server, but at least we should not make their life easier ;) .

Compared with Apache (apache by default will show a lot of information even about the linux distribution and installed apache modules), lighttpd will only show its server version in the header. This is good enough, but still we probably want to hide that information anyway. For this, we will use the global lighttpd variable server.tag that defines the string returned by the server. The default (if not defined) is:

server.tag = “lighttpd <current-version>”

and this will look in a regular header output like:

Server: lighttpd/1.4.19

To overwrite this, we just have to define our own output for the server.tag variable in lighttpd.conf. Usually I like to define it like this:
server.tag = “lighttpd”
leaving the lighty name, but taking out the version; you can of course enter anything you like (even to forge an apache or iis server output, etc.)
server.tag = “Apache/1.3.29 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.16 OpenSSL/0.9.7g”

Conclusion: if you want to provide minimum information about your system then customize your lighty server.tag: server.tag = “lighttpd”


October 4, 2012 - Posted by | Lighttpd, Tips & Tricks, Unix/Linux | , , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: