How-To: Apache web server basic security measures — page 2

1 minute read

This is part 2 of How-To: Apache web server basic security measure.

3. PHP

Another way to hide which PHP version you are running can be achieved through php.ini.

Php as a directive of its own in order not to be too verbose, this is the variable called expose_php. Turning this one to Off will avoid php telling that it is running. In the following output, I had ServerTokens set to Full and expose_php to Off:

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 25 Jul 2006 11:35:22 GMT
Server: Apache/2.0.55 (Ubuntu)
Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT
ETag: "3057-1f8-1a0f4140"
Accept-Ranges: bytes
Content-Length: 504
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Connection closed by foreign host.

As you can see here, even though Apache is replying with all information, we do not see that php is activated anymore.

4. Conclusion

What I have shown here is not a big deal and does not require a lot of knowledge in administration, but by doing this, it is harder for a hacker to get into your box by exploiting known exploit.

I would like to underline that this apply for any services you might be running such as ftp and all. Less the hacker know about what is running, the better it will be for you :smile: