skip navigation

www.Hilands.com


Content:: Configuring apache to send less data to potential attackers

Configuring apache to send less data to potential attackers
Last Modified: 2013-05-17
You can assist your systems security by sending less data to attackers. Granted this isn't an end all documentation for security and may not make you less susceptible to attacks, it may keep you off the radar of those attempting to target you. The idea is to give the least amount of information without turning off any usable features.

Table of Contents
Apache configuration modifications
We want to modify the "ServerTokens" and "ServerSignature" to send the least amount of information in the headers. We would normally go about doing this by editing either the apache2.conf or httpd.conf. However in Debian these variables are in an included file named "security". If you add these to the end of the apache.conf, which is below the include for the security file, the configuration will still work. # cp /etc/apache2/conf.d/security /etc/apache2/security.orig
* Note we are copying the original to a folder below conf.d. As the apache.conf calls the entire conf.d folder with "Include conf.d/". # nano /etc/apache2/conf.d/security
ServerTokens ProductOnly
ServerSignature Off
Setting the ServerTokens to Product only will display "Apache" as the server. Note that you will not see the ServerToken within you browser, even if you are using firefox with the web developer tools and viewing the http header responses. All of the available options for the ServerTokens option can be found on the apache website http://httpd.apache.org/docs/2.2/mod/core.html#servertokens

By Default in Debian the ServerTokens will be set to OS.

After you have made changes to the apache configuration you will need to restart the apache server. # /etc/init.d/apache2 restart
* Note ServerTokens can also be added to the VirtualHost Directive. ServerTokens and ServerSignature can also be added to the apache.conf configuration file. However this would complicate the configuration files for anyone else looking at them. In case there are multiple settings you can easily search the configuration folders from /etc/apache2/ with grep. # grep -iR servertokens /etc/apache2 The output should only show our two files security and security.orig
/etc/apache2/conf.d/security:ServerTokens ProductOnly
/etc/apache2/security.orig:ServerTokens OS



Browser output before and after Apache configuration modifications
The ServerSignature is the portion that is displayed at the end of a browser when an error page is triggered.

ServerSignature is turned on (Before modification)
Not Found

The requested URL /blah was not found on this server.
Apache/2.2.16 (Debian) Server at 192.168.0.1 Port 80

ServerSignature is turned off (After modification)
Not Found

The requested URL /blah was not found on this server.
Sniffer output before and after Apache configuration modifications
The ServerTokens is what is displayed when the Apache server returns the "Server" portion when viewing the http data in a sniffer.

With ServerTokens set to the Debian default of OS we will see the following data.
GET / HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=ih3lftg75uvc6r42n1ps0phln1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Fri, 09 Nov 2012 18:47:01 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Wed, 08 Aug 2012 07:05:52 GMT
ETag: "36fe026-5-4c6bbbdc79400"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 25
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
With ServerTokens set to Product Only we will see the following.
GET / HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK
Date: Fri, 09 Nov 2012 18:40:21 GMT
Server: Apache
Last-Modified: Wed, 08 Aug 2012 07:05:52 GMT
ETag: "36fe026-5-4c6bbbdc79400"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 25
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
PHP configuration modifications
If we trigger a PHP page a sniff will reveal the PHP version in the X-Powered-By: section. To disable this we can modify the "expose_php" variable in the php.ini file. # cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.orig.ini
# nano /etc/php5/apache2/php.ini Find
expose_php = On
and change it to
expose_php = Off
* Note - if you want to comment anything in this file use a semicolon (;) instead of a pound symbol (#) at the beginning of the line.

Restart Apache when done # /etc/init.d/apache2 restart


Sniffer output before and after php.ini modifications
get php page
GET /index.php HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK
Date: Fri, 09 Nov 2012 18:43:31 GMT
Server: Apache
X-Powered-By: PHP/5.3.3-7+squeeze14
Set-Cookie: PHPSESSID=ih3lftg75uvc6r42n1ps0phln1; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1745
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
now the header should show
GET /index.php HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=ih3lftg75uvc6r42n1ps0phln1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Fri, 09 Nov 2012 18:54:10 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1747
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Removing directory indexes
We will need to edit the location where the virtual hosts are stored. In Debian we can edit the 000-default in the sites-enabled folder. Note that 000-default is a symlink to default in the sites-available folder. # cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.orig
# nano /etc/apache2/sites-available/default We will need to remove Indexes from the option.
Change
Options Indexes FollowSymLinks MultiViews
to
Options FollowSymLinks MultiViews
The result will be
Forbidden

You don't have permission to access /<folder full of files and no index file>/ on this server.


Alternatively it appears we can disable the apache auto index module. # a2dismod autoindex However the error message will change from the Forbidden message to a Not Found message. You will still be able to target a directory and get the index if one is available.
Not Found

The requested URL /<folder full of files and no index file>/ was not found on this server.
It is probably best to do both, just in case you get an excited system administrator that re-enables the module by running # a2enmod autoindex
Turning off PHP Errors
On a production server you shouldn't have any code that hasn't been tested and shows any errors.

# nano /etc/php5/apache2/php.ini change display_errors from on to off.
display_errors = On
display_errors = Off