How should I mask my web server's banners to get enhanced security?
Edit the server's source code or the binary to change the default string
Edit configuration files or install a plug-in to mask the banner of your server
Never mind, obscuring banners doesn't enhance security!
The best response is 3. "Never mind, obscuring banners doesn't enhance security!"
Server banners reveal details about the name and version of the software. Attackers can use this to fine-tune attacks against your server. So, it is commonly advised that server banners be turned off or obscured.
A common approach is to edit the default banner and recompile the source code (if the source is available), or to even edit the server binary directly (where the source code is not available). While this would obscure the banner, it is error-prone and quite unsustainable when patches have to be applied.
A safer approach is to use additional plug-ins and available configuration options. IIS banners, for instance, can be masked by installing URLScan and setting the RemoveServerHeader configuration; Apache's banner can be modified by setting the Header set Server directive of httpd.conf after implementing mod_headers. However, tools like httprint can still identify web servers by examining responses to a richer set of fingerprinting requests.
But let's take a step backwards and question how much security one really gains by masking banners. Very little, probably. Attack tools and vulnerability scanners take a shot gun approach where they attempt different exploits without checking the name/version of the target server. If the exploit succeeds, that's good enough for them. Never mind the banners. They really are not interested in fingerprinting the server. Worms also follow a similar approach where they indiscriminately download their malicious payload, irrespective of the server version.
So, as we go to press the evidence is inadequate to support banner masking as a strategy for stronger security.