This blog is about...

...my journey in building successful Web2.0 startup businesses and developing useful Web2.0 applications/sites. No I'm not gonna just talk about marketing and monetizing, I'll also be talking about designing and programming from bottom-up...! ;)

How to hide your Apache and PHP version number

One of the most basic security practice in the web application world is to hide your web server’s software version number. It doesn’t matter if you use Apache 1.3.37 or lighttpd 1.4.10 on a Linux machine or IIS-5.0 on Windows, hiding the version number is crucial if you want to mitigate the risk of your server being attacked by troublemakers.

BEFORE TREATMENT:

AFTER TREATMENT:

Version numbers are the first thing a typical hacker will look for if they want to attack your server. This is because once they know what version your web server is running on, they can easily look for what kind of vulnerabilities are associated with that version, and then simply run the related exploit to hack your server. Attackers can easily know the type and version of your webserver by looking at the HTTP response headers received after they send requests to your application through a Telnet program, or by using Firefox addons/extensions like ServerSpy and Live HTTP Headers in order to see your web server’s version the moment they visit your site.

So hide your Apache and PHP version!

In order to do this, you need to do some sys admin job. I am going to specifically focus on Apache and PHP because I am more of a LAMP (Linux + Apache + MySQL + PHP) user. If you use ASP on Microsoft IIS, I can’t help you much with all these version-hiding thingy (but hey, Google is there to save your day! Tongue out)

So here goes..

Hide Apache version number:

  • Open your Apache’s httpd.conf file (in my case, # vi /usr/local/apache/conf/httpd.conf), and look for the line that says: “ServerSignature On
  • Change it to “ServerSignature Off” (this will hide the Apache version normally seen at the bottom of your 404 error pages)
  • Then add “ServerTokens Prod” below that line (to hide the version in HTTP response headers)
  • Restart your HTTP service (# /etc/init.d/httpd restart)
  • Done! No more Apache version numbers

Hide PHP version number:

  • Find your php.ini file (in my case, # vi /usr/local/lib/php.ini), and look for the line that says: “expose_php On
  • Change it to: “expose_php Off
  • Restart your HTTP service if necessary
  • Done! No more PHP version number in your HTTP response header

Wasn’t that hard now, was it? Just a few tweaks can save you a great deal of security risk, and may save you your business too! Bear in mind that this does not in any way protect from real vulnerabilities that may be associated with your version. Patches or upgrades should still be applied. However, hiding the version numbers will at least make the hackers life harder Cool

Tags: 
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • BlinkList
  • Ma.gnolia
  • Reddit
  • StumbleUpon

“There’s absolutely no bubble in Technology”

Ok… after weeks of hardcore coding, I think it’s time for some entertainment 2.0. I’m not sure if you guys have seen this video yet, but you really should if you haven’t. I find everything about the song to be funny, and kind of true, which what makes it even funnier. The coolness and “geeky-ness” of it just makes me feel like dancing. Enjoy! Laughing

Cool ain’t it? Go ahead and re-play it for another round…. I know you want to.

PS: Notice the remark “Won’t you blog about this song”…. ? Aha… I just did… Cool

Credits to the video creator - Richter Scales

Tags: 
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • BlinkList
  • Ma.gnolia
  • Reddit
  • StumbleUpon

Google’s Campfire One: Introducing OpenSocial

Google says:

“The Web is better when it’s social”.

OpenSocial has been the hype in the Web 2.0 industry for a few days now. What it does is basically providing a common set of open APIs for developers to build social applications across different sites. This is not something that revolve only around Google apps, but it is more of implementing a standard that developers can adapt so that their application will be able to support the OpenSocial initiative.

Ahh.. what am I doing here explaining all these. Why not just let Google themselves explain what OpenSocial is all about in their Campfire One - Introducing OpenSocial.

Web 2.0 developers…. take note!

Sealed

Tags: 
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • BlinkList
  • Ma.gnolia
  • Reddit
  • StumbleUpon

Page 3 of 15«12345»...Last »