nixCraft

nixcraft · #1 (**permalink**) 12-20-2006, 06:05 PM

Task learn how to secure Apache and PHP by hiding version information and other information

Attacker will always try to find out your PHP and Apache version using simple method. Most bugs are version specific. You can hide Apache and PHP information easily. But first let us see how much information is displayed by your installation:

Try out following php urls (replace your-domain-name.com with your actual domain) and you will know how much information you are giving out to attacker.
http://your-domain-name.com/index.ph...9-4C7B08C10000
http://your-domain-name.com/index.ph...9-00AA001ACF42
http://your-domain-name.com/index.ph...9-00AA001ACF42
http://your-domain-name.com/index.ph...9-00AA001ACF42

Get your Apache server information using telnet

Code:

telnet domain.com 80

When connected type HEAD / HTTP/1.0, followed by [Enter] key.

Output:

Code:

Trying 206.xxx.xxx.xxx...
Connected to your-domain-name.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Wed, 20 Dec 2006 11:30:42 GMT
Server: Apache/2.0.52 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.

It is providing Apache version and distribution name.

How do I Hide Apache Version info?
Open httpd.conf file (located in /etc/httpd/ directory /etc/apache2/ )

Code:

vi httpd.conf

Set Apache ServerTokens to product only but don't show version and other info:

Code:

ServerTokens Prod

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Setting this to Prod only displays Apache and nothing else.

Set Apache ServerSignature off

Code:

ServerSignature Off

The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents.

How do I hide php info?
Open php.ini (located in /etc/php.ini or /etc/php5 or /etc/php4 directory)

Code:

vi php.ini

Make sure php does not display errors and other php information. Modify add setting as follows:

Code:

expose_php = Off
display_errors=Off
register_globals = Off

Also send all errors to /var/log/php-scripts-error.log and not on screen to end user. It can provide serious information to user.
error_log = /var/log/httpd/php-scripts-error.log

Restart Apache.

Code:

/etc/init.d/httpd restart

Now all php script errors are written to /var/log/httpd/php-scripts-error.log. Ask your website developers to use following commands to view log files

Code:

tail -f /var/log/httpd/php-scripts-error.log
vi /var/log/httpd/php-scripts-error.log.

For more info please read Apache 2 docs http://httpd.apache.org/docs/2.2/mod/core.html

cbzee · #2 (**permalink**) 12-20-2006, 06:12 PM

wow, my server is giving all this info

thanks for sharing ... really appricate your effort

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Upgrade Apache Server	sweta	Ubuntu / Debian	0	11-01-2007 02:53 AM
Squid information	ssent12	Getting started tutorials	2	08-15-2007 06:43 PM
Linux create self signed ssl certificate for Apache httpd server	raj	Getting started tutorials	0	05-05-2007 01:23 AM
Linus torvalds Information	tom	Getting started tutorials	2	01-05-2006 07:07 PM
NFS version	p_narahari	Solaris/OpenSolaris	3	06-28-2005 07:17 PM

nixCraft

Apache php web server security by hiding version information

Apache php web server security by hiding version information

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads