Securing Apache and PHP

By | 2010/06/22

How do I keep my 404 pages from revealing all of my server information?

Every time a request is made to your web server, it provides information about itself.
While there is nothing generally wrong with this, a potential hacker could identify a specific vulnerable software version on your web server as a target.

You can opt to just keep everything private!

You may have seen this before:

Not Found

The requested URL /asdfasdf.html was not found on this server.
Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 Phusion_Passenger/2.2.11
PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9
OpenSSL/0.9.8g mod_wsgi/2.5 Python/2.5.2 Server
at xxxxxxxxxxx Port 80

apache404

Well, you can make it look like this instead:

apache404_2


Here are some basic initial settings to secure apache and php from revealing information.

Apache:

Edit the following file and change the values as below.

Ubuntu:

/etc/apache2/conf.d/security

CentOS:

/etc/httpd/conf/httpd.conf

And make these changes:

ServerTokens Prod
ServerSignature Off
TraceEnable Off

PHP:

Edit the following file and change the values as below.

Ubuntu:

/etc/php5/apache2/php.ini

CentOS:

/etc/php.ini

And make these changes:

expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off

After editing and saving these files, restart apache with

sudo /etc/init.d/apache2 restart

or on CentOS

sudo /etc/init.d/httpd restart

You can check your server by doing the following:

1. telnet domain.com 80
2. HEAD / HTTP/1.1
3. Press ENTER again

An exposed server will show this:

telnet example.com 80
Trying 192.168.1.1...
Connected to example.com.
Escape character is '^]'.
HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Tue, 22 Jun 2010 17:02:02 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1
Phusion_Passenger/2.2.11 PHP/5.2.6-1+lenny8
with Suhosin-Patch mod_ssl/2.2.9
OpenSSL/0.9.8g mod_wsgi/2.5 Python/2.5.2
Connection: close
Content-Type: text/html; charset=iso-8859-1

While one with the above settings made only shows this:

telnet scottlinux.com 80
Trying 173.230.156.66...
Connected to scottlinux.com.
Escape character is '^]'.
HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Tue, 22 Jun 2010 17:02:34 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

After making these changes, use a program like nikto to check for various vulnerabilities and security tidbits!

2 thoughts on “Securing Apache and PHP

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.