i am running a test server locally that is also broadcasted (for education purposed) on a mac and i ran a software called acunetix (www.acunetix.com) and from another computer and it was able to detect the technologies used on the server. how can i block anything from viewing this information?
views:
65answers:
3
+3
A:
Here is one thing you can do to hide the Apache, PHP and OS version information.
Before:
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 12:20:30 GMT
Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4
X-Powered-By: PHP/5.2.3-1ubuntu6.4
Connection: close
Content-Type: text/html; charset=UTF-8
After:
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 13:06:21 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=UTF-8
Also, make sure that you have custom error pages so that they don't reveal information about Apache and PHP.
Chetan
2010-10-24 07:23:24
thanks wow i wish this stuff was already checked off in httd.conf and php.ini. what im wondering now is, is there a way to hide server: apache as well?
sarmenhb
2010-10-24 07:32:08
@sarmenhb: Probably not by any normal / trivial means. But it's not bad to have that information in the headers, as many popular websites have it.
Chetan
2010-10-24 08:07:13
No, it's not possible to hide "Server: Apache" without re-compiling Apache. It wouldn't help either, since the first thing an attacker would test is probably Apache exploits anyway.
Emil Vikström
2010-10-24 08:52:22
A:
Iptables for linux, or use .htaccess file in www-root-dir
Order Deny,Allow
Deny from all
Allow from local.
Allow from 167.0.2.1, 167.0.2.2
or settings in httpd.conf
mcuw
2010-10-24 07:33:29
thanks, ive set something like that up already but was just wondering just incase i end up having a dedicated/virtual server one day.
sarmenhb
2010-10-24 07:43:13
+3
A:
1)Using mod_security you can change your ServerSignature to somthing compeltely different like this:
SecServerSignature "Microsoft IIS"
Without mod_security, your http header will still say "Apache".
2)Even if you don't have a .php extension you can see if the file is a PHP file by doing this:
http://digg.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
This url will display:
:
To stop this image hack and other issues, make sure this is set in your php.ini:
expose_php=Off
Also make sure:
display_errors=off
and:
session.name=session_id
3)For more fingerprinting try nmap -sV yourdomain.com, often times ssh will leak detailed information like what Linux distro you are running. I recommended disabling what you can and hiding the rest with port knocking.
Rook
2010-10-24 08:56:06
?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 ... damn it, didn't know about it. Thanks!
mojuba
2010-10-24 09:19:56