A couple of days ago I thought that one of my servers got compromised. I thought someone cracked my password by brute force and kept shutting down Apache at 4AM. As it turned out, I made a mistake with the log rotation configuration that the post-rotation restart fails to start Apache.

I immediately installed DenyHosts, disabled keyboard-interactive login and hardened the firewall. It made me feel more insecure which resulted into today’s post.

With a fresh install of FreeBSD 7 on another server yesterday, I wanted to make sure that I do it properly from the start this time.

Apache adds the Server header that reveals the OS, version and some modules. PHP also adds an X-Powered-By header that shows the version of PHP. With those information publicly available, someone can write a script that could exploit vulnerabilities on specific versions of Apache and/or PHP.

For Apache, you can use mod_security. It’s available as a port and at Karanbir Singh’s yum repository for CentOS users. See the directive below.

<IfModule security_module>
  SecServerSignature "Apache"
</IfModule>

Also, just to be a happy camper, I used a new configuration file to be included. Consult your configuration for the path. On CentOS, the default configuration directory is at /etc/httpd/conf.d. On FreeBSD, it’s at /usr/local/etc/apache[n]/Includes, where n may be your Apache version.

For PHP, simply set expose_php to off in your php.ini

Disclaimer: This works for me but I’m not sure if this is the best way to do it. I tried mod_headers first but it didn’t work.

This entry was posted on Sunday, April 20th, 2008 at 11.09.13 and is filed under Geek Cred, Techitude, The Web/Internet. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.