Given the version numbers of services running on a Web server, an attacker has an advantage in that the attacker can simply look up known vulnerabilities for that software and immediately attack them, without tipping off defensive systems with unsuccessful attempts. If the version numbers are hidden, the attacker has to guess, and try a variety of attacks, any of which might activate defensive systems running on the server. The following steps will allow webmasters to remove certain identifying information from Linux based servers. Some of these steps may not work on shared web hosts.
How the Information is Found
Before we go into hiding the information, it may be helpful to briefly discuss how an attacker finds the information in question. When a file is requested from a web server, the server attaches information about the document, called "headers", to the file. These headers contain information about the server software and the communication protocols involved in transmitting the document. This information is hidden from most web users, but can be viewed using various browser plugins, such as Live HTTP Headers for Firefox. The following are some sample headers that a web site might send when serving a page to a user:
1. HTTP/1.1 200 OK
2. Date: Tue, 24 Mar 2009 14:44:38 GMT
3. Server: Apache/2.0.55 (FreeBSD) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a
4. X-Powered-By: PHP/5.1.2
5. Expires: Thu, 19 Nov 1981 08:52:00 GMT
6. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
7. Pragma: no-cache
8. Connection: close
9. Transfer-Encoding: chunked
10. Content-Type: text/html; charset=ISO-8859-1
11. Content-Language: en-us
The important lines are 3 and 4, which contain the server and PHP version numbers. These give a potential attacker information about the Apache server, PHP engine and operating system.
Hiding the Information
The first step is to hide the Operating System information and Apache version numbers. This is very easy to do, and only requires the addition of a single line to the server configuration file or .htaccess file:
ServerTokens Prod
That simple line will change line 3 above into the following:
3. Server: Apache
That's it.
The next step is to hide the information about PHP. That is slightly more difficult. The following line in the server configuration file or .htaccess file will remove line 4 in the above example completely:
Header unset X-Powered-By
Using this directive requires that the mod_headers package be installed and enabled in Apache. In most systems, the module will be available.
Of course, if you really wanted to get tricky, you could add some fun headers as well.
Header set X-AspNet-Version "2.0.50727"
Header set X-Powered-By "ASP.NET"
This would make the server look to an attacker as though it were running ASP on a Linux system (which is not very likely).
Posts
No comments:
Post a Comment