By default, Apache offers the following service fingerprint:
Server: Apache/2.4.6 (Sangoma) OpenSSL/1.0.2k-fips PHP/5.6.40
This is an open invitation to every potential attacker as it hands out version numbers of Apache, PHP and OpenSSL including even the minor version. Having that info, anyone can easily list the bugs contained in those versions. Because of the 'Sangoma' statement behind Apache's version number one can also guess the underlying OS and its version.
Please consider changing that statement ServerTokens in Apache configuration from Full zu Prod. This would change the service fingerprint to:
Nobody needs a wevserver to hand out more information about its own bugs.