A good start is to avoid displaying the software versions you are using.
Let me explain. When somebody request a page to a HTTP server, this one respond with headers such as Content-Type, Content-Length... as well as Server.
People don't usually see those headers, but if someone wants to hack your box, they might be looking for it. Why? Because known exploits usually work on specific software version.
Lets look at default HTTP headers on my ubuntu dapper box:
~$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0HTTP/1.1 200 OK
Date: Tue, 25 Jul 2006 10:47:13 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.4-1.dotdeb.2
Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT
ETag: "3057-1f8-1a0f4140"
Accept-Ranges: bytes
Content-Length: 504
Connection: close
Content-Type: text/html; charset=ISO-8859-1Connection closed by foreign host.
As you can see from this excerpt, my box is running Apache 2.0.55 on an Ubuntu box and php-5.1.4 is used. This is perfect, if I want to hack that box, I simply have to look for known exploit for apache 2.0.55 or php 5.1.4 or even ubuntu.
The idea is to avoid telling too much, so we are going to make apache be less verbose.
2. Apache Configuration File:
In Apache, the ServerTokens directive allow the system administrator to set different type of Server HTTP response header:
- ServerTokens Prod[uctOnly] : this is the most restrictive, in our example, apache will respond:
Server: Apache- ServerTokens Major
response -> Server: Apache/2- ServerTokens Minor
response -> Server: Apache/2.0- ServerTokens Min[imal]
response -> Server: Apache/2.0.55- ServerTokens Os
response -> Server: Apache/2.0.55 (Ubuntu)- ServerTokens Full
response -> Server: Apache/2.0.55 (Ubuntu) PHP/5.1.4-1.dotdeb.2 mymod1/X.Y mymod2/W.ZBy default, ServerTokens is set to Full, on my dapper box at least. To change that value, edit /etc/apache2/apache2.conf and look for the line containing ServerTokens.
Nota: On my ubuntu dapper box, ServerTokens was not set and was therefore taking the default value (Full), in that case, simply add this directive to apache2.conf.
I would recommend setting ServerTokens to Prod by adding this to apache2.conf:
ServerTokens Prod
Reload apache:
$sudo /etc/init.d/apache2 reload
and check for the new headers. Here are the headers sent back by my local server after setting ServerTokens to Prod:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0HTTP/1.1 200 OK
Date: Tue, 25 Jul 2006 11:33:09 GMT
Server: Apache
Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT
ETag: "3057-1f8-1a0f4140"
Accept-Ranges: bytes
Content-Length: 504
Connection: close
Content-Type: text/html; charset=ISO-8859-1Connection closed by foreign host.
As you can see, apache does not tell anymore which version and modules are running
Notes:
|
|
|