Task learn how to secure Apache and PHP by hiding version information and other information
Attacker will always try to find out your PHP and Apache version using simple method. Most bugs are version specific. You can hide Apache and PHP information easily. But first let us see how much information is displayed by your installation:
Try out following php urls (replace your-domain-name.com with your actual domain) and you will know how much information you are giving out to attacker.
Get your Apache server information using telnet
When connected type HEAD / HTTP/1.0, followed by [Enter] key.
telnet domain.com 80
It is providing Apache version and distribution name.
Connected to your-domain-name.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.0 200 OK
Date: Wed, 20 Dec 2006 11:30:42 GMT
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.
How do I Hide Apache Version info?
Open httpd.conf file (located in /etc/httpd/ directory /etc/apache2/ )
Set Apache ServerTokens to product only but don't show version and other info:
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.
Setting this to Prod only displays Apache and nothing else.
Set Apache ServerSignature off
The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents.
How do I hide php info?
Open php.ini (located in /etc/php.ini or /etc/php5 or /etc/php4 directory)
Make sure php does not display errors and other php information. Modify add setting as follows:
Also send all errors to /var/log/php-scripts-error.log and not on screen to end user. It can provide serious information to user.
expose_php = Off
register_globals = Off
error_log = /var/log/httpd/php-scripts-error.log
Now all php script errors are written to /var/log/httpd/php-scripts-error.log. Ask your website developers to use following commands to view log files
For more info please read Apache 2 docs http://httpd.apache.org/docs/2.2/mod/core.html
tail -f /var/log/httpd/php-scripts-error.log