How do I block people from outside my web server from seeing what technologies I'm using (e.g., Apache or PHP)?

Question

I am running a test server locally that is also broadcasted (for education purposes) on a Mac. I ran a software called acunetix from another computer and it was able to detect the technologies used on the server.

How can I prevent others from viewing the technology my server is running?

Answer 1

Here is one thing you can do to hide the Apache, PHP and OS version information.

Before:

HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 12:20:30 GMT
Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4
X-Powered-By: PHP/5.2.3-1ubuntu6.4
Connection: close
Content-Type: text/html; charset=UTF-8

After:

HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 13:06:21 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=UTF-8

Also, make sure that you have custom error pages so that they don't reveal information about Apache and PHP.

Answer 2

1)Using mod_security you can change your ServerSignature to somthing compeltely different like this:

SecServerSignature "Microsoft IIS"

Without mod_security, your http header will still say "Apache".

2)Even if you don't have a .php extension you can see if the file is a PHP file by doing this:

http://digg.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42

This url will display: :

To stop this image hack and other issues, make sure this is set in your php.ini:

expose_php=Off

Also make sure:

display_errors=off

and:

session.name=session_id

3)For more fingerprinting try nmap -sV yourdomain.com , often times ssh will leak detailed information like what Linux distro you are running. I recommended disabling what you can and hiding the rest with port knocking .

Answer 3

Iptables for linux, or use .htaccess file in www-root-dir

Order Deny,Allow

Deny from all

Allow from local.

Allow from 167.0.2.1, 167.0.2.2

or settings in httpd.conf