errr-online.com

A simple first step to some basic security on your web server is to make the response headers say as little as possible. This is not going to be the end all only thing you need to do to secure your web server, but hey like I said its a basic first step. When you hit a website and are looking at the content you might find your self wondering “What OS, and what web server is this person using.. And hey I see the pages end with .php I wonder what version of that they are using too..” Well this is all (by default on most systems) just pushed out to everyone who visits the site. You can find this with out even having to have any command line skills or know how to use wget or curl. A simple Firefox Plugin can tell anyone this. The typical output will look something like this:

X-Powered-By: PHP/5.2.6-1+lenny4
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 16:18:09 GMT
Server: lighttpd/1.4.25
200 OK

Wow thats a lot of info about this persons server… We can see here that they are running Debian Lenny, and they have php 5.2.6 with a patch set or 2 on it, and they have Lighttpd version 1.4.25. That now lets a possible attacker know which security lists to go hit up looking for possible exploits in any of the above mentioned software.. And a simple nmap command can automate this whole process of looking for a “mark” through entire net blocks in a matter of seconds.

Lets start by telling less info about our web server. The default response from Lighttpd is lighttpd #current-version# To change this all we need to do is edit our lighttpd.conf file. Using your favorite text editor lets open up lighttpd.conf and look though it for server.tag Odds are its not in there but thats OK we will add it and define the value.

server.tag = “WebServer”

Now that we have done that we will need to restart the web server. Next time we check our site it will look more like this:

X-Powered-By: PHP/5.2.6-1+lenny4
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 15:56:46 GMT
Server: WebServer

Ah now that is much better but that pesky PHP is still telling everyone what OS and version of PHP we have.

Now lets shut PHP up. Using your favorite text editor open your php.ini file and lets look through it for expose_php By default the value will be set to On. We need to set it to Off. Now we need to restart Lighttpd again. Now our response headers will look like:

Content-Type: text/html
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 16:02:47 GMT
Server: WebServer

Now again.. This is not the end all.. you still need to sercure the box with iptables or some other type of firewall because this did not make your server any more secure than it was before. All we did was HIDE the info making it harder to find out what you have. There are many other things you can do like running these services in a chroot jail, but this is not going to hurt to do.