Today I discovered that you can use webmaster tools or some related tools to directly check the php version number and apache version number used by the server. This is very unsafe for the website. If there is a problem with these versions, some people can It’s done directly. Let’s take a look at the method of hiding the version. Unfortunately, I haven’t found a solution yet under Windows.
Hide PHP version
For security reasons, it is best to hide the PHP version to avoid some attacks caused by PHP version vulnerabilities.
1. Hiding the PHP version means hiding the information "X-Powered-By: PHP/5.2.13".
The method is very simple:
Edit the php.ini configuration file, modify or add: expose_php = Off After saving, restart the corresponding web server such as Nginx or Apache.
The code is as follows | Copy code | ||||
HTTP/1.1 200 OK Server: nginxDate: Tue, 20 Jul 2010 05:45:13 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding
|
代码如下 | 复制代码 |
[root@localhost tmp]# curl -I 192.168.80.128:88 |
Generally, software vulnerability information is related to a specific version, so the software version number is very valuable to attackers.
代码如下 | 复制代码 |
vim /etc/httpd/conf/httpd.conf |
The code is as follows | Copy code |
[root@localhost tmp]# curl -I 192.168.80.128:88 HTTP/1.1 403 Forbidden Date: Wed, 21 Jul 2010 13:09:33 GMT Server: Apache/2.2.15 (CentOS) Accept-Ranges: bytesContent-Length: 5043 Connection: close Content-Type: text/html; charset=UTF-8 |
Hide method:
代码如下 | 复制代码 |
apachectl restart |
The code is as follows | Copy code | ||||
vim /etc/httpd/conf/httpd.conf
|
The code is as follows | Copy code |
apachectl restart |
The code is as follows | Copy code |
[root@localhost tmp]# curl -I 192.168.80.128:88 HTTP/1.1 403 Forbidden Date: Wed, 21 Jul 2010 13:23:22 GMT Server: Apache Accept-Ranges: bytes Content-Length: 5043 Connection: close Content-Type: text/html; charset=UTF-8 |
The version number and operating system information have been hidden.
3. The above method is for Apache installed by default. If it is compiled and installed, you can also use the method of modifying the source code to compile:
Go to the include directory under the Apache source code directory, and then edit the ap_release.h file. You will see the following variables:
The code is as follows
|
Copy code
|
||||
#define AP_SERVER_BASEVENDOR “Apache Software Foundation” | #define AP_SERVER_MAJORVERSION_NUMBER 2
true