17.1.5 Hide your identityThis is NOT the latest copy of this book; click here for the latest version.
Most web servers, by default, send out information about themselves with each request served. For example, a default installation of Mandrake Linux 9.1 returns the following information with each file served:
Server: Apache/2.0.48 (Win32) PHP/5.0.2-dev
From that we can ascertain that the machine is running Apache 2.0.48 on Windows, a CVS version of PHP 5.0.2.
Now, all an attacker has to do is check for known bugs in Apache 2.0.49, PHP 5.0.2, or, worse, Windows, and exploit them - we have in effect given them a headstart.
Editing your httpd.conf file, look for the two directives "ServerSignature" and "ServerTokens" - both of these control what information Apache gives out about itself. ServerSignature is used to define what Apache prints at the bottom of server-generated pages such as 404 error pages. Similarly, with ServerTokens set to full (the default), the same information is sent along with every request. To change this, set ServerSignature to "Off" and ServerTokens to "Prod" - this will stop it printing anything out for error messages, and restrict the information sent with each request to just "Apache". A big step forward - at least now your site will not appear if people are scanning for certain Apache versions.
Here is how that same Windows Apache server describes itself with these changes in place:
Server: Apache
Much better!
|
Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.
My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
|
