Archive for January, 2008



How to hide your Apache and PHP version number

One of the most basic security practice in the web application world is to hide your web server’s software version number. It doesn’t matter if you use Apache 1.3.37 or lighttpd 1.4.10 on a Linux machine or IIS-5.0 on Windows, hiding the version number is crucial if you want to mitigate the risk of your server being attacked by troublemakers.

BEFORE TREATMENT:

AFTER TREATMENT:

Version numbers are the first thing a typical hacker will look for if they want to attack your server. This is because once they know what version your web server is running on, they can easily look for what kind of vulnerabilities are associated with that version, and then simply run the related exploit to hack your server. Attackers can easily know the type and version of your webserver by looking at the HTTP response headers received after they send requests to your application through a Telnet program, or by using Firefox addons/extensions like ServerSpy and Live HTTP Headers in order to see your web server’s version the moment they visit your site.

So hide your Apache and PHP version!

In order to do this, you need to do some sys admin job. I am going to specifically focus on Apache and PHP because I am more of a LAMP (Linux + Apache + MySQL + PHP) user. If you use ASP on Microsoft IIS, I can’t help you much with all these version-hiding thingy (but hey, Google is there to save your day! Tongue out)

So here goes..

Hide Apache version number:

  • Open your Apache’s httpd.conf file (in my case, # vi /usr/local/apache/conf/httpd.conf), and look for the line that says: “ServerSignature On
  • Change it to “ServerSignature Off” (this will hide the Apache version normally seen at the bottom of your 404 error pages)
  • Then add “ServerTokens Prod” below that line (to hide the version in HTTP response headers)
  • Restart your HTTP service (# /etc/init.d/httpd restart)
  • Done! No more Apache version numbers

Hide PHP version number:

  • Find your php.ini file (in my case, # vi /usr/local/lib/php.ini), and look for the line that says: “expose_php On
  • Change it to: “expose_php Off
  • Restart your HTTP service if necessary
  • Done! No more PHP version number in your HTTP response header

Wasn’t that hard now, was it? Just a few tweaks can save you a great deal of security risk, and may save you your business too! Bear in mind that this does not in any way protect from real vulnerabilities that may be associated with your version. Patches or upgrades should still be applied. However, hiding the version numbers will at least make the hackers life harder Cool

Tags: