Hello Guest, if you read this, it means you are not registered. Click here to register a few simple steps, you will enjoy all the features of our Forum. Please note that nicknames are prohibited lewd or meaningless (no numbers or letters at random) and introduce yourself in the section for you to meet our community.
How to hide your Apache and PHP version number - Blogs - GOZEN Host Forums
View RSS Feed

GOZEN Host blogs

How to hide your Apache and PHP version number

Rating: 2 votes, 5.00 average.
0 Comments
by
GOZEN
, 09-19-2012 at 01:33 PM (5348 Views)
One of the most basic security practice in the web application world is to hide your web server’s software version number.
It doesn’t matter if you use Apache 2.x.xx or lighthtpd 1.x.xx on a Linux machine or IIS-x.x on Windows, hiding the version number is important if you want to mitigate the risk of your server being attacked by troublemakers.

Showing your version numbers is asking to be hacked.... It happens on Joomla - Drupal - WordPress and like in any script it happens on your server scripts like Apache or PHP or MySQL scripts. So when someone knows what version number your web server is running on, it's an easy thing for an average hacker to find what kind of vulnerabilities are associated with that version, and then simply run the related exploit to hack your server or web site.

Attackers can easily find out the type and version of your web server by looking at the HTTP response headers received after they send requests (typical visit) to your application, or even worse, through a Telnet program, or by using Firefox addons/extensions like ServerSpy and Live HTTP Headers in order to see your web server's version.

Hide Apache version number:

  1. Open your Apache’s httpd.conf file (in this case, # nano /usr/local/apache/conf/httpd.conf), and look for the line that says: “ServerSignature On“
  2. Change it to “ServerSignature Off” (this will hide the Apache version normally seen at the bottom of your 404 error pages)
  3. Then add “ServerTokens Prod” below that line (to hide the version in HTTP response headers)
  4. Restart your HTTP service (# /etc/init.d/httpd restart)
  5. Done! No more Apache version numbers



Hide PHP version number:

  1. Find your php.ini file (in this case, # nano /usr/local/lib/php.ini), and look for the line that says: “expose_php = On“
  2. Change it to: “expose_php = Off“
  3. Restart your HTTP service if necessary
  4. Done! No more PHP version number in your HTTP response header



Well that's all, wasn't that hard ,was it ? Just a few tweaks can save you a great deal of security risk and also may save you your business too! Keep in mind that those tweaks do not in any way protect you from real vulnerabilities that may be associated with the version of the script you are using. Patches or upgrades should still be applied!
However, hiding the version numbers will at least make the hackers life harder

Submit "How to hide your Apache and PHP version number" to Digg Submit "How to hide your Apache and PHP version number" to del.icio.us Submit "How to hide your Apache and PHP version number" to StumbleUpon Submit "How to hide your Apache and PHP version number" to Twitter

Updated 09-19-2012 at 05:25 PM by Blaine

Categories
Server Optimization