Go2Linux | Linux Operating System

A site dedicated to: Linux Operating System

Secure your apache server from given info to hackers

Date: 2007-04-02 00:00:00 -0400

Taken from: http://www.debianadmin.com/securing-apache-web-server-from-information-leakage.html

A lot of more interesting content, for Debian, visit: http://www.debianadmin.com/

By default, most pre-packaged apache installations come with full information leakage, so if you telnet to port 80 on your webserver you can check, just type in the GET / HTTP/1.1 line, then hit enter twice

telnet localhost 80

Trying 127.0.0.1… Connected to localhost.localdomain. Escape character is ‘]’. GET / HTTP/1.1

HTTP/1.1 400 Bad Request Date: Fri, 30 Mar 2007 09:59:37 GMT Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-18 Content-Length: 337 Connection: close Content-Type: text/html; charset=iso-8859-1

Here we see the Apache version, the distro, and the php version. If you had any extra apache modules installed, it would also show them as well as their versions. We can easily fix this by modifying the config file which will be distribution dependent. On Debian/Ubuntu its /etc/apache2/apache2.conf,We will need to modify the ServerSignature and ServerTokens lines, if you don’t have them, add them in. Here’s what they should be set to

ServerSignature Off ServerTokens Prod

Now you need to Secure PHP version information

By default when php serves a page your header will show

X-Powered-By: PHP/4.X.X

You need to modify the php.ini and set the expose_php variable to Off. For Debian/Ubuntu, the file is /etc/php4/apache2/php.ini (If you are using php5 you need to edit this file /etc/php4/apache2/php.ini) . This will remove the X-Powered-By line.

expose_php = Off

Another problem in php could be display_errors, you want this turned off for a production web site because it might provide file paths or other informaiton.

display_errors = Off

Now you need to restart the apache web server using the following command

/etc/init.d/apache2 restart

Test your Apache server

telnet to port 80 on your webserver just type in the GET / HTTP/1.1 line, then hit enter twice

telnet localhost 80

Trying 127.0.0.1… Connected to localhost.localdomain. Escape character is ‘]’. GET / HTTP/1.1

HTTP/1.1 400 Bad Request Date: Fri, 30 Mar 2007 09:59:37 GMT Server: Apache Content-Length: 337 Connection: close Content-Type: text/html; charset=iso-8859-1

Now you can see in the above information you don’t find any apache version details,Distro and php version details.

If you liked this article please share it.

powered by TinyLetter

If you want to contact me in any other way, please use the contact page.

Creative Commons Attribution-NonCommercial-ShareAlike 3.0 | Powered by Jekyll

RSS feed | Twitter feed