Apache PHP Fingerprinting

From n0r1sk software solutions
Jump to: navigation, search

last edit 22.02.2012 by Bernhard

This article should bundle some of the best practices for Apache/PHP fingerprinting to make your webserver a little more secure!

Apache

Here is a nice article for some of the basics!

The following configuration should be made in your "httpd.conf".

Disable server information prompt on error page

ServerSignature Off

Disable server detail information prompt in HTTP header

ServerTokens Prod

Change "Server: Apache" to what you want

To get rid of the "Server: Apache" message in the HTTP header you have (as we know) only two choices.

First: Change the Apache source & compile your Apache yourself

You can change the product name & version in the Apache sources. Just download the httpd-package from apache.org and extract it. Once extracted you have to edit the "include/ap_release.h". There you can change BASEPRODUCT / BASEPROJECT / BASEVENDOR & the versions.

Second: Install & configure ModSecurity

Haven't tested that yet but the ModSecurity reference manual describes it well.

PHP

The configuration is made via the "php.ini". Here is another nice article for PHP.

Disable PHP X-Powered-By

expose_php=off

Testing your settings

All you need to test if your settings were successfull is a telnet client.

Telnet test

This is a example how to see your HTTP header.

# telnet text.xy.com 80
HEAD / HTTP/1.0<Enter>
test<Enter>
<Enter>

The output of the above sample should be:

HTTP/1.1 400 Bad Request
Date: Thu, 02 Feb 2012 19:38:27 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.

W3AF

Just install the Web Application Attack and Audit Framework and make a scan of your website via the "Wizard". With the above settings there should be no detailed information of your webserver, only "Server: Apache".

Links

Task learn how to secure Apache and PHP by hiding version information and other information
Apache HTTP Server
modsecurity.org
ModSecurity reference manual
Apache Tips & Tricks: Hide PHP version (X-Powered-By)
Web Application Attack and Audit Framework