Enter your email address:

Delivered by FeedBurner

Secure your apache server from given info to hackers

Submitted by ggarron on Tue, 04/03/2007 - 01:00.
StumbleUpon Toolbar

Taken from: http://www.debianadmin.com/securing-apache-web-server-from-information-l...

A lot of more interesting content, for Debian, visit: http://www.debianadmin.com/

By default, most pre-packaged apache installations come with full information leakage, so if you telnet to port 80 on your webserver you can check, just type in the GET / HTTP/1.1 line, then hit enter twice

#telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 30 Mar 2007 09:59:37 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-18
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Here we see the Apache version, the distro, and the php version. If you had any extra apache modules installed, it would also show them as well as their versions. We can easily fix this by modifying the config file which will be distribution dependent. On Debian/Ubuntu its /etc/apache2/apache2.conf,We will need to modify the ServerSignature and ServerTokens lines, if you don’t have them, add them in. Here’s what they should be set to

ServerSignature Off
ServerTokens Prod

Now you need to Secure PHP version information

By default when php serves a page your header will show

X-Powered-By: PHP/4.X.X

You need to modify the php.ini and set the expose_php variable to Off. For Debian/Ubuntu, the file is /etc/php4/apache2/php.ini (If you are using php5 you need to edit this file /etc/php4/apache2/php.ini) . This will remove the X-Powered-By line.

expose_php = Off

Another problem in php could be display_errors, you want this turned off for a production web site because it might provide file paths or other informaiton.

display_errors = Off

Now you need to restart the apache web server using the following command

#/etc/init.d/apache2 restart

Test your Apache server

telnet to port 80 on your webserver just type in the GET / HTTP/1.1 line, then hit enter twice

# telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 30 Mar 2007 09:59:37 GMT
Server: Apache
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Now you can see in the above information you don’t find any apache version details,Distro and php version details.

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Google
  • Yahoo
  • Technorati

Trackback URL for this post:

http://www.go2linux.org/trackback/52
StumbleUpon Toolbar

 If you like this article, subscribe to our full rss

If this article was somehow useful for you, you can leave something in the tip's jar

Please post your question in our forum and use comments only to leave your comments about the article, thanks.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Captcha
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

This site is proudly hosted at Bluefur Hosting