Securing Apache Web Server from information leakage

Posted on by 2 Comments

By default, most pre-packaged apache installations come with full information leakage, so if you telnet to port 80 on your webserver you can check, just type in the GET / HTTP/1.1 line, then hit enter twice

#telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 30 Mar 2007 09:59:37 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-18
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Here we see the Apache version, the distro, and the php version. If you had any extra apache modules installed, it would also show them as well as their versions. We can easily fix this by modifying the config file which will be distribution dependent. On Debian/Ubuntu its /etc/apache2/apache2.conf,We will need to modify the ServerSignature and ServerTokens lines, if you don’t have them, add them in. Here’s what they should be set to

ServerSignature Off
ServerTokens Prod

Now you need to Secure PHP version information

By default when php serves a page your header will show

X-Powered-By: PHP/4.X.X

You need to modify the php.ini and set the expose_php variable to Off. For Debian/Ubuntu, the file is /etc/php4/apache2/php.ini (If you are using php5 you need to edit this file /etc/php4/apache2/php.ini) . This will remove the X-Powered-By line.

expose_php = Off

Another problem in php could be display_errors, you want this turned off for a production web site because it might provide file paths or other informaiton.

display_errors = Off

Now you need to restart the apache web server using the following command

#/etc/init.d/apache2 restart

Test your Apache server

telnet to port 80 on your webserver just type in the GET / HTTP/1.1 line, then hit enter twice

# telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 30 Mar 2007 09:59:37 GMT
Server: Apache
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

Now you can see in the above information you don’t find any apache version details,Distro and php version details.

Sponsored Link

Related content:

  1. Apache Tips:Hide Apache Information & PHP software version
  2. Apache Web server Useful Tips
  3. Apache2 web server with php support in ubuntu
  4. How To Install Apache, MySQL and PHP on Debian 7.0
  5. How to setup GeoIP support for apache2 On Debian Etch

2 thoughts on “Securing Apache Web Server from information leakage

  1. I was just looking for this.
    Im almost 3 years to late lol but its usefull.
    Does anybody know how to give out custom text instead of

    Apache/x (Debian) PHP/x+lenny4 with Suhosin-Patch Server at x Port 80

    Thanks

  2. If you use XAMPP (v2.5.8) look for the file named httpd-default.conf under etcxamppapacheconfextra and then make the necessary changes (ServerSignature Off, ServerTokens Prod).

    I was not able to find this info in the net. Hope it helps someone.

Leave a comment

Your email address will not be published. Required fields are marked *