Security through obscurity – hiding your server version information

I’ve recently spent a lot of time reviewing the OWASP documentation, and (like many corporations) realized that I’d neglected to keep up with this configuration item.

By sharing the exact version of each piece of server software you are using, “hackers” are able to quickly identify unpatched systems and their known vulnerabilities.

To make their work harder, there are a few simple steps that the server admin can take to remove this information from the HTTP Headers and error pages.

Apache HTTPd:

  1. sudo vi /etc/apache2/conf-enabled/security.conf
  2. Add:

    ServerTokens ProductOnly
    ServerSignature Off
  3. If using virtual hosts, add the following to each one:
    ServerSignature Off
  4. sudo service apache2 restart

Apache Tomcat:

  1. vi /opt/tomcat7/conf/server.xml
  2. Find the <Connector > entry and add:
    server="Apache"
  3. cd /opt/tomcat7/lib
  4. mkdir -p org/apache/catalina/util
  5. vi /opt/tomcat7/lib/org/apache/catalina/util/ServerInfo.properties
    server.info=Apache Tomcat
  6. sudo service tomcat7 restart

PHP “X-Powered-By: PHP/5.x.x-1ubuntuX.X”

  1. sudo vi /etc/php5/apache2/php.ini
    expose_php = Off
  2. sudo service apache2 restart

REFERENCES:

Setup of Static IP addresses on Ubuntu

In these examples, I have used the OpenDNS servers, please change as appropriate.


sudo vi /etc/network/interfaces

Example contents:

auto l0 eth0
auto lo
iface lo inet loopback
iface eth0 inet static
address 10.1.10.xxx
netmask 255.255.255.0
network 10.1.10.0
broadcast 10.1.10.255
gateway 10.1.10.1
dns-nameservers 208.67.222.222 208.67.220.220
dns-search home


sudo vi /etc/resolv.conf

NOTE: I’m not 100% sure if this is required!
Add appropriate content, example:

nameserver 208.67.222.222
nameserver 208.67.220.220
search home

sudo restart networking
ifconfig
sudo ifdown eth0 && ifup eth0
sudo restart

REFERENCES: