[WEB SECURITY] Securing apache installation with PHP
pmotykowski at suncorp.coop
Thu May 19 10:34:45 EDT 2005
My favorite obscurity layer of security in Apache is modifying the "ServerTokens" option. The default setting dumps unnecessary version information into the server signature and looks something like this:
Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7a PHP/5.0.4 mod_jk/1.2.10 Server at domain.com Port 80
Change the setting to "ServerTokens Prod" and you get this:
Apache Server at domain.com Port 80
No need to hand out more info than needed!
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
From: Ahmad Sallehin Haji Mohammad Ali [mailto:sallehin.ali at itpss.com]
Sent: Thursday, May 19, 2005 7:34 AM
To: Cedric Foll
Cc: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Securing apache installation with PHP
Just keep on eye with the current update especially vulnerabilities & exploits that has been made.
From: Cedric Foll [mailto:cedric.foll at ac-rouen.fr]
Sent: Thu 5/19/2005 7:15 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Securing apache installation with PHP
I have to set up a new web server where many users would be able to put
PHP web pages.
I would like to harden my setup.
I've read these great articles http://www.securityfocus.com/infocus/1706
I use all advices here and i'm going use mod_security.
What else can i do to protect my webserver ?
For exemple, there is disable_functions and disable_classes in php.ini.
What should I put there ?
Ingénieur Sécurité & Réseaux
Division Informatique, Rectorat de Rouen
"He who joyfully marches to music in rank and file has already earned my
contempt. He has been given a large brain by mistake, since for him the
spinal cord would fully suffice."
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity