[WEB SECURITY] Securing apache installation with PHP

Ian Holsman kryton at gmail.com
Tue May 31 18:59:33 EDT 2005


nice try,
but unfortunatly PHP adds it's own header which ignores the
servertokens directive.
you will also need to edit your PHP.ini and change expose_php to off
; Misc
; 
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = off


another thing you may want to do is run a seperate web server for each
user as their user-id so that they can't comprimise ALL the machine if
they install something screwy.

On 5/20/05, Peter Motykowski <pmotykowski at suncorp.coop> wrote:
> My favorite obscurity layer of security in Apache is modifying the "ServerTokens" option.  The default setting dumps unnecessary version information into the server signature and looks something like this:
> 
> Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7a PHP/5.0.4 mod_jk/1.2.10 Server at domain.com Port 80
> 
> Change the setting to "ServerTokens Prod" and you get this:
> Apache Server at domain.com Port 80
> 
> No need to hand out more info than needed!
> 
> # ServerTokens
> # This directive configures what you return as the Server HTTP response
> # Header. The default is 'Full' which sends information about the OS-Type
> # and compiled in modules.
> # Set to one of:  Full | OS | Minor | Minimal | Major | Prod
> # where Full conveys the most information, and Prod the least.
> 
> Peter
> 
> -----Original Message-----
> From: Ahmad Sallehin Haji Mohammad Ali [mailto:sallehin.ali at itpss.com]
> Sent: Thursday, May 19, 2005 7:34 AM
> To: Cedric Foll
> Cc: websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] Securing apache installation with PHP
> 
> 
> Just keep on eye with the current update especially vulnerabilities & exploits that has been made.
> 
> From: Cedric Foll [mailto:cedric.foll at ac-rouen.fr]
> Sent: Thu 5/19/2005 7:15 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Securing apache installation with PHP
> 
> 
> Hi,
> 
> I have to set up a new web server where many users would be able to put
> PHP web pages.
> 
> I would like to harden my setup.
> 
> I've read these great articles http://www.securityfocus.com/infocus/1706
> and http://www.securityfocus.com/infocus/1694.
> 
> I use all advices here and i'm going use mod_security.
> 
> What else can i do to protect my webserver ?
> 
> For exemple, there is disable_functions and disable_classes in php.ini.
> What should I put there ?
> 
> Regards.
> 
> --
> Cedric Foll
> Ingénieur Sécurité & Réseaux
> Division Informatique, Rectorat de Rouen
> 
> "He who joyfully marches to music in rank and file has already earned my
> contempt. He has been given a large brain by mistake, since for him the
> spinal cord would fully suffice."
> Albert Einstein
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 


-- 
Ian at Holsman.net -- 03-9877-0909
If everything seems under control, you're not going fast enough. -
Mario Andretti

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list