
Secure Apache and PHP, hide version numbers - darkduck
http://www.go2linux.org/linux/2011/07/secure-apache-and-php-hide-version-numbers-1122.html
======
static_cast
If I'd like to "hack" a LAMP-Server I certainly wouldn't start by attacking
Apache or PHP.

The biggest attack vector are outdated scripts. Once an attacker has access to
PHP, he basically has a normal user login. Running PHP as the apache user
gives the attacker full read access to all your web-folders.

If I where him, I'd put 2 lines code into the PHP-Webmail script to send me
your e-mail logins and from there I can research further...

using fastcgi for php, block/log outgoing traffic per uid/gid, disable sockets
for php uids, use suhosin to disallow certain php calls, nosuid,noexec
webroot/tmp nothing really protects you against a mildy creative attacker...

I'm a sysadmin for a dozen LAMP shared hosting sites used by non-tech users
and keeping these things secure is a major pain in the ass.

especially if your users want to use these riciolous unsecure php scripts.
joomla die in a fire...

I'm sorry disabling version numbers is good idea but calling it "securing"
your server is idiotic.

/rant

------
route66
Hmmm .. Security by obscurity?

When I look at my server logs I see lots of attempts to crack into software,
components or programming languages I do not use and which can't be found on
the server. The common cheap hacking script doesn't even care if it's a
windows box when it's dumbly requesting the isapi.dll.

I wonder if the effect is the same as grinding the lock-makers label off my
door locks.

~~~
nodata
Removing version information makes it more difficult for an unskilled
automated attack on a server, which is what most of the attacks are.

~~~
cheald
Obscuring the version number just means that Joe Blackhat has to run through
10 exploits to try to get a hit, rather than just 1. The time difference is
likely insignificant.

All this does is produce a false sense of security which may lull system
administrations into putting off critical upgrades.

~~~
nodata
Joe Blackhat isn't running the exploits - Sam Scriptkiddie is.

> All this does is produce a false sense of security which may lull system
> administrations into putting off critical upgrades.

Then the sys admin needs replacing.

Creating more work for those that automate system attacks is a good thing.

------
rphlx
Security issues aside, another reason to turn off the http server version is
that it pointlessly consumes presumably-metered bandwidth.

------
DrinkWater
WOW, This is the most basic of basic basics. I wouldn't expect such posts on
Hacker News

~~~
syaz1
Your comment is void of content. Many do not like such posts on HN.

