How-To: Apache web server basic security measures — page 2
This is part 2 of How-To: Apache web server basic security measure.
Another way to hide which PHP version you are running can be achieved through php.ini.
Php as a directive of its own in order not to be too verbose, this is the variable called expose_php. Turning this one to Off will avoid php telling that it is running. In the following output, I had ServerTokens set to Full and expose_php to Off:
$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 25 Jul 2006 11:35:22 GMT Server: Apache/2.0.55 (Ubuntu) Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT ETag: "3057-1f8-1a0f4140" Accept-Ranges: bytes Content-Length: 504 Connection: close Content-Type: text/html; charset=ISO-8859-1 Connection closed by foreign host.
As you can see here, even though Apache is replying with all information, we do not see that php is activated anymore.
What I have shown here is not a big deal and does not require a lot of knowledge in administration, but by doing this, it is harder for a hacker to get into your box by exploiting known exploit.
I would like to underline that this apply for any services you might be running such as ftp and all. Less the hacker know about what is running, the better it will be for you