root@server:~# apt install apache2 apache2-doc

Durante a instalação do apache2 é criado um ficheiro de configuração bastante restrito. No entanto essa configuração pode ser alterada editando o ficheiro /etc/apache2/sites-available/000-default.conf:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Sempre que é solicitada uma página ao servidor httpd, este envia na resposta a sua assinatura (nome, versão, sistema operativo, etc…). Estas informações podem ser utilizadas para explorar vulnerabilidades e facilitar o ataque ao servidor.

Por segurança é conveniente desligar o envio da assinatura do servidor, o que pode ser feito no ficheiro de configuração de segurança do servidor /etc/apache2/conf-available/security.conf:

# [...]

# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
#ServerTokens OS
#ServerTokens Full
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#ServerSignature Off
#ServerSignature On
ServerSignature Off

# [...]

Verificar que a sintaxe do ficheiro de configuração está correta:

root@server:~# apachectl -t
Syntax OK

Reiniciar o servidor apache2:

root@server:~# systemctl restart apache2

Num browser, inserir o endereço do servidor (http://192.168.1.100):

• The Apache HTTP Server Project
• Wikipedia: Servidor Apache
• Apache 2.2 Documentation