Hide Apache, PHP and Bind Versions
To Check Apache Version:
By default, Apache will send version and modules information like mod_php, mod_perl, mod_ssl in every HTTP header.
If you want to view Apache web server version and sofware of a remote server, follow this procedure.
# telnet example.com 80
Trying example.com...
Connected to example.com.
Escape character is ‘^]'.
HEAD / HTTP/1.0 <- after this press 2 times ENTER
HTTP/1.1 200 OK
Date: Sun, 07 Oct 2012 12:57:57 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 JRun/4.0
Last-Modified: Tue, 03 Jan 2012 11:41:16 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.
In the above example it is showing all the details about your web server and php this is not recommended for security reasons.We need to hide this information with the following procedure.
To Hide Apache Information:
To hide the information, add the following two apache directives in Apache configuration file, (httpd.conf or apache2.conf)
ServerTokens ProductOnly
ServerSignature Off
# /etc/init.d/httpd restart
Now the output for apache header looks like below
Server: Apache
To Hide PHP Version Details
Locate php.ini loaded in the server.
Change the following option in php.ini
expose_php On
to
expose_php Off
# /etc/init.d/httpd restart
To Hide BIND Version
You can check the Bind version of a server by using the following command.
# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
"9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.4"
To hide your version of bind, change the version value in named.conf as like the following.
You can give any string for the version.
options {
directory "/var/named";
version "We Just Hide It";
};
# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
"We Just Hide It"
No comments:
Post a Comment