Apache Obfuscation and the Art of Looking It Up Yourself
Cancer Omega <comega@attrition.org>

It seems every time I turn around, someone's asking how to obscure their web server identification in the same manner that we here at Attrition do. To wit:

Server: Temple-of-Hate/19.3.1.BetaThug (PathOS)

I'm going to preface this tutorial with one very stern warning:

The following changes will NOT afford you ANY additional security! Scriptkiddies don't care what server you're supposedly running; they'll just bang away until something cries 'Uncle.' Skilled attackers will see right through the ruse. And automated intrusion agents (AKA, 'worms') just don't give a shit and will launch their attack sequences no matter what!

With that said, here's the necessary info. Once again, the documentation will take longer to write than it takes to actually figure out this trivial task.

Here's all you need to do:

  1. Unpack the Apache distro file (apache_1.x.xx.tar.gz) and run the configure script. (If you don't know how to do either of those tasks, stop reading now. There's no way you can possibly install Apache without inflicting self-injury.)
  2. Do the following commands:
    1. cd src/os/unix
      (With Apache 2.x, cd os/unix)
    2. vi os.h
    3. Search for:
      #define PLATFORM "Unix"
    4. Replace "Unix" with whatever you want your OS identification to be. (Some of the more creative ones I've done are 'NachOS,' 'PathOS,' 'StratOS,' 'ZerOS,' and 'OreOS'...to name but a few.)
    5. Save the file.
    6. cd ../../include
    7. vi httpd.h
      (With Apache 2.x, vi ap_release.h)
    8. Search for:
      #define SERVER_BASEVENDOR   "Apache Group"
      #define SERVER_BASEPRODUCT  "Apache"
      #define SERVER_BASEREVISION "1.x.xx"
    9. Replace "Apache" and "1.x.xx" with whatever you want your Server and version number to be. (I recommend "Fuck-You-bin-Laden" and "9.11.2001", respectively.)
    10. Save the file.
    11. cd ../..
      (With Apache 2.x, cd ..)
    12. make
  3. That's it.

    That's right. That's IT. Like I said, these changes are TRIVIAL. Minimal research (via a resource such as Google) by anyone with even the slightest understanding of Apache or C coding would have yielded more than ample information to compose these changes!

    Look, I don't mind helping people. I don't even mind giving people quick answers to quick questions. But when people write to me asking for this data without so much as even perfunctory research on their own...well, that's where I get a bit annoyed.

    If you get any errors in compiling, I don't want to hear about it. The instructions provided here work just fine on every system I perform them on. If you get an error, it's your own fault.


    Thanks to lucid@unixgeeks.org for the update on Apache 2.x file names and directory locations.