Debian Admin - Your way to Debian World

April 2, 2007

Securing Apache Web Server from information leakage

by Admin @ 8:21 am. Filed under Webserver

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

By default, most pre-packaged apache installations come with full information leakage, so if you telnet to port 80 on your webserver you can check, just type in the GET / HTTP/1.1 line, then hit enter twice

#telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 30 Mar 2007 09:59:37 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-18
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Here we see the Apache version, the distro, and the php version. If you had any extra apache modules installed, it would also show them as well as their versions. We can easily fix this by modifying the config file which will be distribution dependent. On Debian/Ubuntu its /etc/apache2/apache2.conf,We will need to modify the ServerSignature and ServerTokens lines, if you don’t have them, add them in. Here’s what they should be set to

ServerSignature Off
ServerTokens Prod

Now you need to Secure PHP version information

By default when php serves a page your header will show

X-Powered-By: PHP/4.X.X

You need to modify the php.ini and set the expose_php variable to Off. For Debian/Ubuntu, the file is /etc/php4/apache2/php.ini (If you are using php5 you need to edit this file /etc/php4/apache2/php.ini) . This will remove the X-Powered-By line.

expose_php = Off

Another problem in php could be display_errors, you want this turned off for a production web site because it might provide file paths or other informaiton.

display_errors = Off

Now you need to restart the apache web server using the following command

#/etc/init.d/apache2 restart

Test your Apache server

telnet to port 80 on your webserver just type in the GET / HTTP/1.1 line, then hit enter twice

# telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 30 Mar 2007 09:59:37 GMT
Server: Apache
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Now you can see in the above information you don’t find any apache version details,Distro and php version details.

Tags: , , , ,

You may also be interested in...

One Response to “Securing Apache Web Server from information leakage”

  1. XSet Says:
    April 2nd, 2007 at 9:31 am

    Securing Apache Web Server from information leakage…

    A good overview for those running their own Apache / PHP server - Link
    ……

Leave a Reply

« Inkscape Vector Graphics Editor in Ubuntu
How to Install Backports Debian Packages »

Subscribe RSS Feed

subscribe to the Debian Admin RSS feed

Internal links:

Sponsors:



Categories:

Support Debian Admin

Amount $:
Website(Optional):

Sponsors:

Archives:

Related Links:


Favourite Sites:

Wordpress Collection
Windows Reference
Ubuntu Geek
DebianHelp
All About Debian Tutorials
Power Electrical
Check Your IP Here
Debian,Ubuntu News
DebCentral
Tuxmachines
Capnkirby
Libervis
Nuxifield
Linux Horizon
Linux Appfinder
Debuntu
GNU/Linux For Everyone
Free Penguin
DebianAdmin is not related to the Debian Project.
This site is copyright © 2006,2007 Debian Admin
All Trademarks are the property of their respective owners.
The contents of this website may not be mirrored or archived without the express written permission of DebianAdmin Site Owner.

DISCLAIMER: All the information, troubleshooting methods, utilities offered in this website is provided AS-IS, without any warranties. Though I strive for perfection, and always test the validity and effectiveness of the troubleshooting content in various systems, I assume no responsibility for your use of these Fixes, Utilities and other troubleshooting advice. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason. All use is completely at your own risk. Changes to the existing content and new additions are made to this website periodically, without notification.
Rodney's Kontera DynamiContext Plugin plugged in.