How to Secure apache and PHP by hiding version information

Attacker will always try to find out your PHP and Apache version using simple method. Most bugs are version specific. You can hide Apache and PHP information easily. But first let us see how much information is displayed by your installation:

Try out following php urls (replace your-domain-name.com with your actual domain) and you will know how much information you are giving out to attacker.
http://your-domain-name.com/index.ph…9-4C7B08C10000
http://your-domain-name.com/index.ph…9-00AA001ACF42
http://your-domain-name.com/index.ph…9-00AA001ACF42
http://your-domain-name.com/index.ph…9-00AA001ACF42

Get your Apache server information using telnet

Code:
telnet domain.com 80

When connected type HEAD / HTTP/1.0, followed by [Enter] key.

Output:

Code:
Trying 206.xxx.xxx.xxx...
Connected to your-domain-name.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Wed, 20 Dec 2006 11:30:42 GMT
Server: Apache/2.0.52 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.

It is providing Apache version and distribution name.

How do I Hide Apache Version info?
Open httpd.conf file (located in /etc/httpd/ directory /etc/apache2/ )

Code:
vi httpd.conf

Set Apache ServerTokens to product only but don’t show version and other info:

Code:
ServerTokens Prod

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Setting this to Prod only displays Apache and nothing else.

Set Apache ServerSignature off

Code:
ServerSignature Off

The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents.

How do I hide php info?
Open php.ini (located in /etc/php.ini or /etc/php5 or /etc/php4 directory)

Code:
vi php.ini

Make sure php does not display errors and other php information. Modify add setting as follows:

Code:
expose_php = Off
display_errors=Off
register_globals = Off

Also send all errors to /var/log/php-scripts-error.log and not on screen to end user. It can provide serious information to user.
error_log = /var/log/httpd/php-scripts-error.log

Restart Apache.

Code:
/etc/init.d/httpd restart

Now all php script errors are written to /var/log/httpd/php-scripts-error.log. Ask your website developers to use following commands to view log files

Code:
tail -f /var/log/httpd/php-scripts-error.log
vi /var/log/httpd/php-scripts-error.log.

For more info please read Apache 2 docs http://httpd.apache.org/docs/2.2/mod/core.html

Advertisements
Posted in Tips and Tricks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

ABOUT AUTHOR
Rodel Sales is a freelance I.T Professional . Start blogging on May 2013 to share my technical skills to other I.T professionals, and collect imperative guide from the internet world.
Blog Archieve
May 2013
M T W T F S S
    Jun »
 12345
6789101112
13141516171819
20212223242526
2728293031  
%d bloggers like this: