Skip to main content

How to hide the server application version

ww.kr.ua Protection and safety


Hiding the version of the software used on the server is a good practice to confuse potential hackers. After all, knowing the version, for example, a web server, you can try to exploit a vulnerability that is relevant for this version.

And if the hacker does not know which version of software is used on the server, the selection of the vulnerability becomes a little more difficult. This page presents the parameters of some applications that allow you to hide the version and even the fact of using the service itself.



The content of the article:

Nginx

To hide the version of the nginx server being used, add the following line to the /etc/nginx/nginx.conf configuration file: 

  server_tokens off;

You can also change the header sent by the server.

Apache

To hide the Apache version, open the /etc/apache2/conf.d/security.conf file and set the parameter there:

 
  ServerTokens Prod

Postfix

By default, postfix does not display its version in responses when connecting. But it shows that it is used exactly and the installed OS on the server (Debian, in our case :). It can be hidden.

Open the /etc/postfix/main.cf file, delete from the smtpd_banner parameter (Debian / GNU). 

  smtpd_banner = $ myhostname ESMTP $ mail_name (Debian / GNU)

Then we write the parameter:


  mail_name = MailServer

After restarting Postfix, when they connect to the server, clients will see something like this. 

  root @ localhost: ~ # telnet localhost 25
 Trying :: 1 ...
 Trying 127.0.0.1 ...
 Connected to localhost.
 Escape character is '^]'.
 220 example.com ESMTP MailServer

And in the letters will be displayed such a headline: 

  Received: by example.com (MailServer, from userid 1001)

Php

The web server can transfer the version of php used in the headers.

X-Powered-By: PHP / 5.6.19-0 + deb8u1

Parameter is responsible for hiding it: 

  expose_php = Off

You can install it in several ways:

  1. Edit the /etc/php5/*/php.ini file
  2. In the php-fpm pool file: php_admin_value[expose_php] = "Off"
  3. In the apache virtual host configuration file: php_admin_value expose_php Off

Mysql

In general, with regard to MySQL, it makes no sense to hide the version. But you should restrict access to it from the outside, if you do not need external connections (for which you should allow access only from specific IP). Therefore, in the configuration file /etc/mysql/my.cnf, we change the parameter: 

  bind-address = 127.0.0.1

Lighttpd

Here, too, nothing complicated. For hiding the version (and the fact of use) is responsible server.tag. You can specify something else altogether: 

  server.tag = "FrontPage"

Notes

It should be remembered that after changing the configuration files, each service should be restarted. ;)

And also adhere to the rule "Do not chat."



How do you rate the article?
Звёзд: 1Звёзд: 2Звёзд: 3Звёзд: 4Звёзд: 5 (No ratings yet)
Loading...

Add a comment

Your email will not be published.