Debian/Ubuntu Tips and Tricks


Debian/Ubuntu Tips and Tricks

How-To: Apache web server basic security measures — page 2

Posted by chantra on July 30th, 2006

This entry is part 2 of 2 in the series How-To: Apache web server basic security measures

3. PHP:

Another way to hide which PHP version you are running can be achieved through php.ini.
Php as a directive of its own in order not to be too verbose, this is the variable called expose_php. Turning this one to Off will avoid php telling that it is running. In the following output, I had ServerTokens set to Full and expose_php to Off:

$ telnet localhost 80
Connected to localhost.
Escape character is '^]'.

HTTP/1.1 200 OK
Date: Tue, 25 Jul 2006 11:35:22 GMT
Server: Apache/2.0.55 (Ubuntu)
Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT
ETag: "3057-1f8-1a0f4140"
Accept-Ranges: bytes
Content-Length: 504
Connection: close
Content-Type: text/html; charset=ISO-8859-1

Connection closed by foreign host.

As you can see here, even though Apache is replying with all information, we do not see that php is activated anymore.

4. Conclusion:

What I have shown here is not a big deal and does not require a lot of knowledge in administration, but by doing this, it is harder for a hacker to get into your box by exploiting known exploit.

I would like to underline that this apply for any services you might be running such as ftp and all. Less the hacker know about what is running, the better it will be for you :)

Series Navigation<< How-To: Apache web server basic security measures

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>