Webantix

After running a number of tests on my own server I kept on seeing that by default Apache leaks a lot of information. Maybe not the most extreme threat, but still giving a little to much away for my liking.

The three main leaks are

• Apache version on errors

 (Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 Server at 10.0.0.1 Port 80)

• Apache advertising itself in the headers

 (Server - Apache/2.2.3 (CentOS) DAV/2 PHP/5.2.12 OpenSSL/0.9.8e-fips-rhel5)

• PHP advertsining itself in the headers

 (X-Powered-By - PHP/5.2.6-2ubuntu4.6)

Below is how to turn these settings off to keep your footprint to a minimum.

ServerTokens

Server Tokens configure the server HTTP header response. There are a number of options but in your httpd.conf or in Ubuntu /etc/apache2/conf.d/security add the following line.

ServerTokens Prod

This will narrow the header to say just “Apache”.

ServerSignature

The Server Signature will display at the bottom of any default error pages. To stop this in the same file as Server Tokens add the following line.

 ServerSignature Off

expose_php

Finally I found that there was still a header response with my PHP details. To remove this edit your PHP.ini file on to off on the following line.

 expose_php=off

I admit all of these will not plug any vulnerability, it just makes it harder to capture information and makes the reconnaissance for the Hacker that much harder.

Resources for this post

http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
http://httpd.apache.org/docs/2.2/mod/core.html#serversignature
http://php.net/manual/en/ini.core.php#ini.expose-php