Results 1 to 2 of 2

Thread: Apache php web server security by hiding version information

  1. #1
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,514
    Thanks
    17
    Thanked 808 Times in 511 Posts
    Rep Power
    10

    Default Apache php web server security by hiding version information

    Task learn how to secure Apache and PHP by hiding version information and other information

    Attacker will always try to find out your PHP and Apache version using simple method. Most bugs are version specific. You can hide Apache and PHP information easily. But first let us see how much information is displayed by your installation:

    Try out following php urls (replace your-domain-name.com with your actual domain) and you will know how much information you are giving out to attacker.
    http://your-domain-name.com/index.ph...9-4C7B08C10000
    http://your-domain-name.com/index.ph...9-00AA001ACF42
    http://your-domain-name.com/index.ph...9-00AA001ACF42
    http://your-domain-name.com/index.ph...9-00AA001ACF42

    Get your Apache server information using telnet
    Code:
    telnet domain.com 80
    When connected type HEAD / HTTP/1.0, followed by [Enter] key.

    Output:
    Code:
    Trying 206.xxx.xxx.xxx...
    Connected to your-domain-name.com.
    Escape character is '^]'.
    HEAD / HTTP/1.0
    
    HTTP/1.0 200 OK
    Date: Wed, 20 Dec 2006 11:30:42 GMT
    Server: Apache/2.0.52 (Red Hat)
    Accept-Ranges: bytes
    Content-Length: 3985
    Connection: close
    Content-Type: text/html; charset=UTF-8
    Connection closed by foreign host.
    It is providing Apache version and distribution name.

    How do I Hide Apache Version info?
    Open httpd.conf file (located in /etc/httpd/ directory /etc/apache2/ )
    Code:
    vi httpd.conf
    Set Apache ServerTokens to product only but don't show version and other info:

    Code:
    ServerTokens Prod
    This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

    Setting this to Prod only displays Apache and nothing else.

    Set Apache ServerSignature off
    Code:
    ServerSignature Off
    The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents.

    How do I hide php info?
    Open php.ini (located in /etc/php.ini or /etc/php5 or /etc/php4 directory)
    Code:
    vi php.ini
    Make sure php does not display errors and other php information. Modify add setting as follows:
    Code:
    expose_php = Off
    display_errors=Off
    register_globals = Off
    Also send all errors to /var/log/php-scripts-error.log and not on screen to end user. It can provide serious information to user.
    error_log = /var/log/httpd/php-scripts-error.log

    Restart Apache.
    Code:
    /etc/init.d/httpd restart
    Now all php script errors are written to /var/log/httpd/php-scripts-error.log. Ask your website developers to use following commands to view log files
    Code:
    tail -f /var/log/httpd/php-scripts-error.log
    vi /var/log/httpd/php-scripts-error.log.
    For more info please read Apache 2 docs http://httpd.apache.org/docs/2.2/mod/core.html
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    wow, my server is giving all this info

    thanks for sharing ... really appricate your effort

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade Apache Server
    By sweta in forum Ubuntu / Debian
    Replies: 0
    Last Post: 1st November 2007, 02:53 AM
  2. Squid information
    By ssent12 in forum Getting started tutorials
    Replies: 2
    Last Post: 15th August 2007, 06:43 PM
  3. Linux create self signed ssl certificate for Apache httpd server
    By raj in forum Getting started tutorials
    Replies: 0
    Last Post: 5th May 2007, 01:23 AM
  4. Linus torvalds Information
    By tom in forum Getting started tutorials
    Replies: 2
    Last Post: 5th January 2006, 07:07 PM
  5. NFS version
    By p_narahari in forum Solaris/OpenSolaris
    Replies: 3
    Last Post: 28th June 2005, 07:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •