Tuesday, January 18, 2011

Some Useful tips for the Apache Webserver

Hide PHP Version in Apache from remote users requests:

 In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off.
By default expose_php is set to On.

In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off:
--------------
expose_php = Off
--------------
After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.

How to get web server software and version of a remote server

 This can be achieved in many ways, but the simplest one in my opinion is to use a basic telnet connection on port 80 to the remote server and issue a regular request like “HEAD / HTTP/1.0” (I will use HEAD because we don’t care about the content):

telnet remote_server.com 80
Trying remote_server.com...
Connected to remote_server.com.
Escape character is '^]'.
HEAD / HTTP/1.0 <- after this press 2 times ENTER

HTTP/1.1 200 OK
Date: Fri, 19 Jun 2006 08:18:06 BST
Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.

or

Another tip about GET , HEAD….
lwp-request, GET, HEAD, POST - Simple WWW user agent

HEAD remote_server.com
200 OK
Connection: close
Date: Fri, 09 Jun 2006 11:17:33 GMT
Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 09 Jun 2006 15:13:39 GMT
Client-Peer: 192.23.0.12:80
Client-Response-Num: 1
X-Powered-By: PHP/5.1.2-1+b1

So as you can see, it is so simple to find out that this server is using: Debian as OS (from the other versions we can assume it is Etch version), Apache 2.0.55 as web server, PHP 5.1.2, and OpenSSL 0.9.8b.

Kishore




No comments:

Post a Comment