Apache PHP Fingerprinting
last edit 22.02.2012 by Bernhard
This article should bundle some of the best practices for Apache/PHP fingerprinting to make your webserver a little more secure!
- 1 Apache
- 2 PHP
- 3 Testing your settings
- 4 Links
Here is a nice article for some of the basics!
The following configuration should be made in your "httpd.conf".
Disable server information prompt on error page
Disable server detail information prompt in HTTP header
Change "Server: Apache" to what you want
To get rid of the "Server: Apache" message in the HTTP header you have (as we know) only two choices.
First: Change the Apache source & compile your Apache yourself
You can change the product name & version in the Apache sources. Just download the httpd-package from apache.org and extract it. Once extracted you have to edit the "include/ap_release.h". There you can change BASEPRODUCT / BASEPROJECT / BASEVENDOR & the versions.
Second: Install & configure ModSecurity
The configuration is made via the "php.ini". Here is another nice article for PHP.
Disable PHP X-Powered-By
Testing your settings
All you need to test if your settings were successfull is a telnet client.
This is a example how to see your HTTP header.
# telnet text.xy.com 80 HEAD / HTTP/1.0<Enter> test<Enter> <Enter>
The output of the above sample should be:
HTTP/1.1 400 Bad Request Date: Thu, 02 Feb 2012 19:38:27 GMT Server: Apache Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host.
Just install the Web Application Attack and Audit Framework and make a scan of your website via the "Wizard". With the above settings there should be no detailed information of your webserver, only "Server: Apache".
Task learn how to secure Apache and PHP by hiding version information and other information
Apache HTTP Server
ModSecurity reference manual
Apache Tips & Tricks: Hide PHP version (X-Powered-By)
Web Application Attack and Audit Framework