errr-online.com » sysadmin

Hide your Lighttpd Version and Supress the X-Powered-By info given by PHP

errr — Sat, 27 Feb 2010 16:44:37 +0000

A simple first step to some basic security on your web server is to make the response headers say as little as possible. This is not going to be the end all only thing you need to do to secure your web server, but hey like I said its a basic first step. When you hit a website and are looking at the content you might find your self wondering “What OS, and what web server is this person using.. And hey I see the pages end with .php I wonder what version of that they are using too..” Well this is all (by default on most systems) just pushed out to everyone who visits the site. You can find this with out even having to have any command line skills or know how to use wget or curl. A simple Firefox Plugin can tell anyone this. The typical output will look something like this:

X-Powered-By: PHP/5.2.6-1+lenny4
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 16:18:09 GMT
Server: lighttpd/1.4.25
200 OK

Wow thats a lot of info about this persons server… We can see here that they are running Debian Lenny, and they have php 5.2.6 with a patch set or 2 on it, and they have Lighttpd version 1.4.25. That now lets a possible attacker know which security lists to go hit up looking for possible exploits in any of the above mentioned software.. And a simple nmap command can automate this whole process of looking for a “mark” through entire net blocks in a matter of seconds.

Lets start by telling less info about our web server. The default response from Lighttpd is lighttpd #current-version# To change this all we need to do is edit our lighttpd.conf file. Using your favorite text editor lets open up lighttpd.conf and look though it for server.tag Odds are its not in there but thats OK we will add it and define the value.

server.tag = “WebServer”

Now that we have done that we will need to restart the web server. Next time we check our site it will look more like this:

X-Powered-By: PHP/5.2.6-1+lenny4
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 15:56:46 GMT
Server: WebServer

Ah now that is much better but that pesky PHP is still telling everyone what OS and version of PHP we have.

Now lets shut PHP up. Using your favorite text editor open your php.ini file and lets look through it for expose_php By default the value will be set to On. We need to set it to Off. Now we need to restart Lighttpd again. Now our response headers will look like:

Content-Type: text/html
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 16:02:47 GMT
Server: WebServer

Now again.. This is not the end all.. you still need to sercure the box with iptables or some other type of firewall because this did not make your server any more secure than it was before. All we did was HIDE the info making it harder to find out what you have. There are many other things you can do like running these services in a chroot jail, but this is not going to hurt to do.

Rename Files Fast from the Linux CLI

errr — Thu, 14 Jan 2010 18:16:26 +0000

So today I moved our web root from this OLD system to our new server. First things first I tried to hit some of the links and I was served given the option to d/l the file… Well I could go to the Web server config file and tell it to parse these files as php, or how about we ditch the .php3 for something this decade… like .php So I go to our web root and look for all the files that end in .php3

find . -iname “*.php3″ -print

Nice. Now I have a huge list of files here.. How on earth can I rename them with out this taking all day… I used rename like so:

find . -iname “*.php3″ -print |xargs rename -n ’s/\.php3/\.php/’

This command will NOT actually change ANYTHING on your system. The -n flag says to run through as a test and tell me what you would be doing if I wanted it done… I can see from this output that I do indeed want to run this command.

find . -iname “*.php3″ -print |xargs rename -v ’s/\.php3/\.php/’

Now this time it did go though and rename and it printed to the screen what it did (thats what the -v flag does verbose). Now I can go though and edit the index file that pointed to these php3 files and remove that 3. Simple and now I dont have that silly 3 on the file names any more.

DRAC Attack!! Default username and password for DRAC

errr — Wed, 06 Jan 2010 19:07:57 +0000

Simple and quick post… The default user for DRAC is root with a password of calvin
enjoy!!

Export xBase/dBase files into MySQL

errr — Mon, 04 Jan 2010 18:18:36 +0000

If you have an application that uses xBase/dBase files to store data you may at some point need to export that data into a real database, like MySQL. This is a really simple task thanks to a nifty app called dbf2mysql. For my example I was using some CRM software called ACT. They used dBase III files to store their data. So I just went to the windows box that was holding my dBase file. I used winscp to move it to my Linux box. Next I used:

dbf2mysql -vvv -c -f -d dbname -r -U dbuser -P dbuserpass CustomerInfo.dbf

What this does is turns up the verbose logging to my screen, next the -c will create a table in my database named “test” (this is default and can be changed with the -t flag) -f makes all the field named from the dbf file be changed to lower case, next the -d, -U, and -P seem pretty obvious, and that leaves us with the -r which will Trim trailing and leading white space from CHAR type fields. All this info and more can be found in the man page. Here is the trail end of what I got from the output of my command:

fields in dbh 71, allocated mem for query 4293, query size 2156
Inserting records
Inserting record 0
Inserting record 100
Inserting record 200
Inserting record 300
Inserting record 400
Inserting record 500
Inserting record 600
Inserting record 700
Inserting record 800
Closing up….

Now I can log into phpmyadmin and verify that all my data has been moved successfully.