Hide PHP Version in Apache from remote users requests:
In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off.
By default expose_php is set to On.
In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off: --------------
expose_php = Off
--------------
After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.
By default expose_php is set to On.
In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off: --------------
expose_php = Off
--------------
After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.
How to get web server software and version of a remote server
telnet remote_server.com 80
Trying remote_server.com...
Connected to remote_server.com.
Escape character is '^]'.
HEAD / HTTP/1.0 <- after this press 2 times ENTER
HTTP/1.1 200 OK
Date: Fri, 19 Jun 2006 08:18:06 BST
Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.
or
Another tip about GET , HEAD….
lwp-request, GET, HEAD, POST - Simple WWW user agent
HEAD remote_server.com
200 OK
Connection: close
Date: Fri, 09 Jun 2006 11:17:33 GMT
Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 09 Jun 2006 15:13:39 GMT
Client-Peer: 192.23.0.12:80
Client-Response-Num: 1
X-Powered-By: PHP/5.1.2-1+b1
So as you can see, it is so simple to find out that this server is using: Debian as OS (from the other versions we can assume it is Etch version), Apache 2.0.55 as web server, PHP 5.1.2, and OpenSSL 0.9.8b.
Kishore
No comments:
Post a Comment