Thread: Apache php web server security by hiding version information
View Single Post

  #1 (permalink)  
Old 12-20-2006, 07:05 PM
nixcraft's Avatar
nixcraft nixcraft is offline
Never say die
User
  
Join Date: Jan 2005
Location: BIOS
My distro: Ubuntu
Posts: 1,061
Rep Power: 10
nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute
Default Apache php web server security by hiding version information
Task learn how to secure Apache and PHP by hiding version information and other information

Attacker will always try to find out your PHP and Apache version using simple method. Most bugs are version specific. You can hide Apache and PHP information easily. But first let us see how much information is displayed by your installation:

Try out following php urls (replace your-domain-name.com with your actual domain) and you will know how much information you are giving out to attacker.
http://your-domain-name.com/index.ph...9-4C7B08C10000
http://your-domain-name.com/index.ph...9-00AA001ACF42
http://your-domain-name.com/index.ph...9-00AA001ACF42
http://your-domain-name.com/index.ph...9-00AA001ACF42

Get your Apache server information using telnet
Code:
telnet domain.com 80
When connected type HEAD / HTTP/1.0, followed by [Enter] key.

Output:
Code:
Trying 206.xxx.xxx.xxx...
Connected to your-domain-name.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Wed, 20 Dec 2006 11:30:42 GMT
Server: Apache/2.0.52 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.
It is providing Apache version and distribution name.

How do I Hide Apache Version info?
Open httpd.conf file (located in /etc/httpd/ directory /etc/apache2/ )
Code:
vi httpd.conf
Set Apache ServerTokens to product only but don't show version and other info:

Code:
ServerTokens Prod
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Setting this to Prod only displays Apache and nothing else.

Set Apache ServerSignature off
Code:
ServerSignature Off
The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents.

How do I hide php info?
Open php.ini (located in /etc/php.ini or /etc/php5 or /etc/php4 directory)
Code:
vi php.ini
Make sure php does not display errors and other php information. Modify add setting as follows:
Code:
expose_php = Off
display_errors=Off
register_globals = Off
Also send all errors to /var/log/php-scripts-error.log and not on screen to end user. It can provide serious information to user.
error_log = /var/log/httpd/php-scripts-error.log

Restart Apache.
Code:
/etc/init.d/httpd restart
Now all php script errors are written to /var/log/httpd/php-scripts-error.log. Ask your website developers to use following commands to view log files
Code:
tail -f /var/log/httpd/php-scripts-error.log
vi /var/log/httpd/php-scripts-error.log.
For more info please read Apache 2 docs http://httpd.apache.org/docs/2.2/mod/core.html
__________________
Vivek | My personal blog
Linux Evangelist
Play hard stay cool
Reply With Quote