Great article by Pete Freitag on Securing Apache Web Servers
(20 ways to Secure your Apache Configuration)
Here are 20 things you can do to make your apache configuration more secure.
Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don’t think your server is necessarily secure after following these suggestions.
Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.
First, make sure you’ve installed latest security patches
There is no sense in putting locks on the windows, if your door is wide open. As such, if you’re not patched up there isn’t really much point in continuing any longer on this list.
Hide the Apache Version number, and other sensitive information.
By default many Apache installations tell the world what version of Apache you’re running, what operating system/version you’re running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.
There are two directives that you need to add, or edit in your
ServerSignature Off ServerTokens Prod
ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
ServerTokens directive is used to determine what Apache will put in the
Server HTTP response header. By setting it to
Prod it sets the HTTP response header as follows:
If you’re super paranoid you could change this to something other than “Apache” by editing the source code, or by using mod_security (see below).