Hide your identity

Most web servers, by default, send out information about themselves with each request served. For example, a default installation of Windows returns the following information with each file served:

Server: Apache/2.2.11 (Win32) PHP/5.2.9

From that we can ascertain that the machine is running Apache 2.2.11 on Windows plus PHP 5.2.9.

Now, all an attacker has to do is check for known bugs in Apache 2.2.11, PHP 5.2.9, or, worse, Windows, and exploit them - we have in effect given them a headstart.

Editing your httpd.conf file, look for the two directives "ServerSignature" and "ServerTokens" - both of these control what information Apache gives out about itself. ServerSignature is used to define what Apache prints at the bottom of server-generated pages such as 404 error pages. Similarly, with ServerTokens set to full (the default), the same information is sent along with every request. To change this, set ServerSignature to "Off" and ServerTokens to "Prod" - this will stop it printing anything out for error messages, and restrict the information sent with each request to just "Apache". A big step forward - at least now your site will not appear if people are scanning for certain Apache versions.

Here is how that same Windows Apache server describes itself with these changes in place:

Server: Apache

Much better!


Want to learn PHP 7?

Hacking with PHP has been fully updated for PHP 7, and is now available as a downloadable PDF. Get over 1200 pages of hands-on PHP learning today!

If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Hiding PHP >>

Previous chapter: Remember that most files are public

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.