Hacking with PHP has been updated for PHP 7 - click here! >>

Hide your identity

Most web servers, by default, send out information about themselves with each request served. For example, a default installation of Windows returns the following information with each file served:

Server: Apache/2.2.11 (Win32) PHP/5.2.9

From that we can ascertain that the machine is running Apache 2.2.11 on Windows plus PHP 5.2.9.

Now, all an attacker has to do is check for known bugs in Apache 2.2.11, PHP 5.2.9, or, worse, Windows, and exploit them - we have in effect given them a headstart.

Editing your httpd.conf file, look for the two directives "ServerSignature" and "ServerTokens" - both of these control what information Apache gives out about itself. ServerSignature is used to define what Apache prints at the bottom of server-generated pages such as 404 error pages. Similarly, with ServerTokens set to full (the default), the same information is sent along with every request. To change this, set ServerSignature to "Off" and ServerTokens to "Prod" - this will stop it printing anything out for error messages, and restrict the information sent with each request to just "Apache". A big step forward - at least now your site will not appear if people are scanning for certain Apache versions.

Here is how that same Windows Apache server describes itself with these changes in place:

Server: Apache

Much better!


If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Hiding PHP >>

Previous chapter: Remember that most files are public

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.