Hacking your web server is a disaster for you. Most of the times, the hacker uses the information reads from your server to attack it. (i.e. the version details, installed modules, configuration parameters etc).
So it is very essential to harden your web server and prevent publishing unnecessary information about the web server by it self.
Following given settings prevent publishing such information.
Hiding Apache Version
Impact: Exposing apache version may help to use exploits against the server.
Setting: In Apache/Httpd conf file
Methodology
- Open your httpd.conf file using text editor such as vi:
e.g. vi httpd.conf - Append/modify config directive as follows:
- Set ServerTokens parameter at apache config file section 1 to ProductOnly
ServerTokens ProductOnly
- Set ServerSignature at apache config file Section 2: 'Main' server configuration to Off
- Save and close the file. Restart Apache web server:
- e.g. # /etc/init.d/httpd restar
Hiding PHP version
Settings: PHP configuration file (i.e. php.ini)
Note: The location of the php.ini is depending on the PHP version that you are using. Following are the possible locationsMethodology:
- /etc/php.ini
- /etc/php4/apache/php.ini(For php4)
- /etc/php5/apache/php.ini (For php5)
Change the following option
- expose_php Off
Setting: In Apache/Httpd conf file
Methodology:
Change the Option setting inside the <Directory/>___</Directory> tags to restrictive setting;
e.g.
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
More details at httpd.apache.org/docs/2.2/mod/core.html#options
http://www.petefreitag.com/item/505.cfm
Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.
ReplyDeleteflash to html5 converter| html5 development