scottlinux.com

Facebook Twitter RSS

Securing Apache and PHP

Published on June 22, 2010, by in linux, sysadmin.

How do I keep my 404 pages from revealing all of my server information?

Every time a request is made to your web server, it provides information about itself.
While there is nothing generally wrong with this, a potential hacker could identify a specific vulnerable software version on your web server as a target.

You can opt to just keep everything private!

You may have seen this before:

Not Found

The requested URL /asdfasdf.html was not found on this server.
Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 Phusion_Passenger/2.2.11
 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9
 OpenSSL/0.9.8g mod_wsgi/2.5 Python/2.5.2 Server
 at xxxxxxxxxxx Port 80


apache404



Well, you can make it look like this instead:

apache404_2


Here are some basic initial settings to secure apache and php from revealing information.

Apache:

Edit the following file and change the values as below.

Ubuntu:

/etc/apache2/conf.d/security



CentOS:

/etc/httpd/conf/httpd.conf



And make these changes:

ServerTokens Prod


ServerSignature Off


TraceEnable Off

PHP:

Edit the following file and change the values as below.

Ubuntu:

/etc/php5/apache2/php.ini



CentOS:

/etc/php.ini


And make these changes:

expose_php = Off


display_errors = Off


track_errors = Off


html_errors = Off



After editing and saving these files, restart apache with

sudo /etc/init.d/apache2 restart



or on CentOS

sudo /etc/init.d/httpd restart




You can check your server by doing the following:

1. telnet domain.com 80


2. HEAD / HTTP/1.1


3. Press ENTER again



An exposed server will show this:

telnet example.com 80

Trying 192.168.1.1...

Connected to example.com.

Escape character is '^]'.

HEAD / HTTP/1.1



HTTP/1.1 400 Bad Request

Date: Tue, 22 Jun 2010 17:02:02 GMT

Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1
 Phusion_Passenger/2.2.11 PHP/5.2.6-1+lenny8
 with Suhosin-Patch mod_ssl/2.2.9
 OpenSSL/0.9.8g mod_wsgi/2.5 Python/2.5.2

Connection: close

Content-Type: text/html; charset=iso-8859-1



While one with the above settings made only shows this:

telnet scottlinux.com 80

Trying 173.230.156.66...

Connected to scottlinux.com.

Escape character is '^]'.

HEAD / HTTP/1.1



HTTP/1.1 400 Bad Request

Date: Tue, 22 Jun 2010 17:02:34 GMT

Server: Apache

Vary: Accept-Encoding

Connection: close

Content-Type: text/html; charset=iso-8859-1



After making these changes, use a program like nikto to check for various vulnerabilities and security tidbits!

No related posts.

Tags: , , , , , , , , ,
« »

2 Responses

  1. Alamgir
    December 23, 2011 at 01:41

    Helpful topics.

    Thanks

    Reply
  2. Simon
    January 1, 2012 at 16:17

    I Don’t know how working contact

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.

(Optional) Your Twitter @
Home linux Securing Apache and PHP
© Copyleft scottlinux.com CC BY-SA 3.0