Servers by default display information via Apache and PHP that makes them vulnerable. With Apache, the version number and installed module versions are listed at the bottom of 404 error pages. With PHP, because it runs on our servers as CGI, when it processes php scripts, it adds the “X-Powered By” and displays the version number. In both cases this is not desirable as attackers can use such information to compromise the server.
This is what it looks like when ServerTokens are set to Full.
To fix this for new servers take the following steps:
For Apache, open /etc/httpd/conf/httpd.conf in your favorite text editor. Search for ServerTokens and it should find an entry that reads:
ServerTokens Full
Change this to:
ServerTokens Prod
Save the file and restart Apache using service httpd restart.
For PHP, locate the global php.ini. For servers with both php4 and php5, you’ll need to edit the php.ini for each php version. PHP4 is usually located in /usr/local/php4/lib/. For php5 it is usually located in /usr/local/lib/. You’ll want to open each php.ini in your favorite text editor and search for expose_php. You should find an entry that reads:
expose_php = On
Change this to:
expose_php = Off
Save the file, and restart apache.
This concludes my small server security tweak.
