Jan 302007
 

Sponsored Link

Hide PHP Version in Apache from remote users requests

In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off.By default expose_php is set to On.

In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off:

expose_php = Off

After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.

How to get web server software and version of a remote server

This can be achieved in many ways, but the simplest one in my opinion is to use a basic telnet connection on port 80 to the remote server and issue a regular request like “HEAD / HTTP/1.0” (I will use HEAD because we don’t care about the content):

telnet remote_server.com 80
Trying remote_server.com...
Connected to remote_server.com.
Escape character is ‘^]'.
HEAD / HTTP/1.0 <- after this press 2 times ENTER

HTTP/1.1 200 OK
Date: Fri, 19 Jun 2006 08:18:06 BST
Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.

or

Another tip about GET , HEAD….
lwp-request, GET, HEAD, POST - Simple WWW user agent

HEAD remote_server.com
200 OK
Connection: close
Date: Fri, 09 Jun 2006 11:17:33 GMT
Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 09 Jun 2006 15:13:39 GMT
Client-Peer: 192.23.0.12:80
Client-Response-Num: 1
X-Powered-By: PHP/5.1.2-1+b1

So as you can see, it is so simple to find out that this server is using: Debian as OS (from the other versions we can assume it is Etch version), Apache 2.0.55 as web server, PHP 5.1.2, and OpenSSL 0.9.8b.

How to hide some files from appearing in directory indexes

to prevent certain files from appearing in directory indexes, in case this needs to remain enabled. This is particularly useful for non html files (or raw files not parsed by apache and returned as a html to the browser), for example: php include files, libraries (that will not have the extension php), or log files, or any other file that you might want to prevent the users to easily see in the browser.

Normally I will disable directory indexes, and this will not be needed, but in case you have to keep directory indexes ON for some reason, then it is a good idea to hide some files from showing in the directory indexes.
This will not prevent peoples to download the files as long as they know (or guess) the file name/location, it will just hide the files from the index generation. Some good examples of what files to hide like this:

.htaccess (for obvious reasons)
*.bak *~ (this can lead to download the source of some parsed web files that are saved as backup files)
RCS CVS *,v *,t (hide cvs related files)
*.inc (or whatever files extensions you might use to include in regular php files)

These are just examples and you should use this directive based on your particular need.

IndexIgnore

We will use the apache directive IndexIgnore to hide the list of files. Since this can be used in global configuration and also in virtual host configuration, per directory or in .htaccess it is useful to know that any new IndexIgnore line will actually add the files to the list of hidden files and not overwrite a previous definition. So you can choose this as you see it fit (add them all in one place in a single line, or have more ignore list defined, etc.). To achieve our sample here is how we will hide the file types from above to appear in directory indexes:

IndexIgnore .htaccess
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
IndexIgnore *.incOr the same thing in one single line:

IndexIgnore .htaccess .??* *~ *# HEADER* README* RCS CVS *,v *,t *.incSome Linux distributions will include some defaults for this directive, but in case you have directory indexes ON you should really look into this directive and add the files you don’t want the users to see in a browser in a directory index

Hide apache software version

If you want to hide apache software version for security reasons you need to use ServerTokens and ServerSignature directives. Basically to provide only a minimal amount of information we will set this in the main config to:

ServerTokens ProductOnly
ServerSignature Off

Sponsored Link

 Posted by at 4:41 pm
  • http://www.devside.net/ Apache and PHP

    You should also have something like this under httpd.conf to make sure that if the php module is not loaded, no one will be able to see the source… Which can expose mysql db/user/password info and a lot more!

    Order allow,deny
    Deny from all

  • http://www.devside.net/ Apache and PHP

    It looks like the code was removed due to the tags… let me try again…

    <IfModule !php4_module>
    <FilesMatch “\.php[45]?$”>
    Order allow,deny
    Deny from all
    </FilesMatch>
    </IfModule>