Debian Admin

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

By default, most pre-packaged apache installations come with full information leakage, so if you telnet to port 80 on your webserver you can check, just type in the GET / HTTP/1.1 line, then hit enter twice

#telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 30 Mar 2007 09:59:37 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-18
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Here we see the Apache version, the distro, and the php version. If you had any extra apache modules installed, it would also show them as well as their versions. We can easily fix this by modifying the config file which will be distribution dependent. On Debian/Ubuntu its /etc/apache2/apache2.conf,We will need to modify the ServerSignature and ServerTokens lines, if you don’t have them, add them in. Here’s what they should be set to

ServerSignature Off
ServerTokens Prod

Now you need to Secure PHP version information

By default when php serves a page your header will show

X-Powered-By: PHP/4.X.X

You need to modify the php.ini and set the expose_php variable to Off. For Debian/Ubuntu, the file is /etc/php4/apache2/php.ini (If you are using php5 you need to edit this file /etc/php4/apache2/php.ini) . This will remove the X-Powered-By line.

expose_php = Off

Another problem in php could be display_errors, you want this turned off for a production web site because it might provide file paths or other informaiton.

display_errors = Off

Now you need to restart the apache web server using the following command

#/etc/init.d/apache2 restart

Test your Apache server

telnet to port 80 on your webserver just type in the GET / HTTP/1.1 line, then hit enter twice

# telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 30 Mar 2007 09:59:37 GMT
Server: Apache
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Now you can see in the above information you don’t find any apache version details,Distro and php version details.

• Apache Public webserver with multiple local webserver with Debian
• Running Vhosts With Apache2 mpm-itk On Debian
• WebDAV Configuration With Apache2 On Debian Etch
• How to setup GeoIP support for apache2 On Debian Etch
• How to Split apache Logs With vlogger in debian etch
• How to Split lighttpd Logs With vlogger in Debian Etch
• Setup Easy Hosting Control Panel (ehcp) for Debian/Ubuntu