Security by Obscurity
Hiding information about your system doesn't make it secure. An Apache FAQ is how to turn servertokens off, commonly in the name of some illusion of increased security. Though advocated by some, this is widely held to be futile:
- Generic bot-driven attacks ("script kiddies") will just try every server they can find. If you look through your apache logs, you'll be sure to find a bunch of IIS classics like Nimda and Code Red. A practical experiment is to run two servers, one announcing itself as Apache and the other as IIS, and see if there's any difference!
- Expert attacks will easily identify your server as Apache, regardless of your servertokens.
Neither type of attack is affected very much by your server identifying itself as Apache or otherwise.
