tags:

views:

60

answers:

3
+1  Q: 

Hiding the backend technology stack

As a security measure, I want to hide the technology stack I am using on my server. What are effective ways to do this? I thought about

1) Use mod_rewrite or Rewrite Module to hide any page extensions like .php or .aspx
2) Turn off all error reporting

1b) use mod_rewrite to serve a misleading extension on purpose, like disguising a php page as aspx
2b) Throw misleading errors to go with 1b), making my php pages display asp-like errors.

A: 

You can add fake Server: and/or X-Powered-By headers to the response, pretending that it was generated by a different server. (Or, Server: My Unhackable Server)

SLaks  2010-09-14 02:51:46
A: 
  1. Don't show accurate page extensions
  2. Don't use standard error pages
  3. Make sure the web server and application layer (ASP.NET, PHP et al) hide their presence in browser headers)
  4. If your error pages do anything dynamic, assume that this can fail somehow and have a set of static html pages you can serve that aren't the web servers default ones
  5. Make sure all of our technolog stacks are configured to not show stack traces on any error pages served to machines other than the local server. If for some reason all your custom errors fail then the user may see the technology stack, but they won't have a window into the underlying code
Crippledsmurf  2010-09-14 02:58:43
+2  A: 

This is an impossible task. You will have to modify the entire stack, in which case you will have just created new buggy versions that you now have to keep in sync with vendor's versions.

There's literally no way to do this without making your site less secure.

You can do lame stuff like remove X-Powered-By, or change the session generation scheme if it's using something like ASP or PHP which has a known one. The fact is it's not going to stop anyone who actually wants to know what you are running.

For basic examples (it goes much deeper than this), some web servers will accept any header, so I can say GET LOLOLOL HTTP/1.1 and it will still work. Some stacks will keep the session alive, some wont. You can also see what features are on the stack, since there are just so many on the web and there's no way on earth any stack supports the exact same set.

Longpoke  2010-09-14 03:02:11
It doesn't have to be perfect. I just want it to be as good as it can be without introducing too many problems into the code.
Bimmy  2010-09-14 03:12:10

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security