[WEB SECURITY] Securing apache installation with PHP

Peter Motykowski pmotykowski at suncorp.coop
Thu May 19 10:34:45 EDT 2005

My favorite obscurity layer of security in Apache is modifying the "ServerTokens" option.  The default setting dumps unnecessary version information into the server signature and looks something like this:

Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7a PHP/5.0.4 mod_jk/1.2.10 Server at domain.com Port 80

Change the setting to "ServerTokens Prod" and you get this:
Apache Server at domain.com Port 80

No need to hand out more info than needed!

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.


-----Original Message-----
From: Ahmad Sallehin Haji Mohammad Ali [mailto:sallehin.ali at itpss.com]
Sent: Thursday, May 19, 2005 7:34 AM
To: Cedric Foll
Cc: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Securing apache installation with PHP

Just keep on eye with the current update especially vulnerabilities & exploits that has been made.

From: Cedric Foll [mailto:cedric.foll at ac-rouen.fr]
Sent: Thu 5/19/2005 7:15 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Securing apache installation with PHP


I have to set up a new web server where many users would be able to put
PHP web pages.

I would like to harden my setup.

I've read these great articles http://www.securityfocus.com/infocus/1706
and http://www.securityfocus.com/infocus/1694.

I use all advices here and i'm going use mod_security.

What else can i do to protect my webserver ?

For exemple, there is disable_functions and disable_classes in php.ini.
What should I put there ?


Cedric Foll
Ingénieur Sécurité & Réseaux
Division Informatique, Rectorat de Rouen

"He who joyfully marches to music in rank and file has already earned my
contempt. He has been given a large brain by mistake, since for him the
spinal cord would fully suffice."
Albert Einstein

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list