Hide Apache and PHP Version and Signatures in Ubuntu Linux

secure-apache
Apache Security

By default, your Apache web server (and PHP if it is installed) will indicate to clients the exact version of the Apache software which is running. This version information can be seen in the HTTP response header.

At times, such behaviour is undesirable as some administrators think that this will make their server more vulnerable to attacks since an attacker will immediately know what software versions are running and may then easily gather any available exploits. The simple fact is, even if your server software is masked, and attacker can try to determine the versions using other means, or they can just try to attack it using all the exploits they have.

Regardless of whatever your intention is, turning off these signatures will add an additional level of complexity (albeit minimal) to a potential attacker.

The tutorial below explains.

How to disable Apache signature

Open the relevant apache2.conf config file:

nano /etc/apache2/apache2.conf

At the end of the file, or at some other sensible location, add the following lines:

ServerTokens Prod
ServerSignature off

Restart your server for the new changes to take effect:

/etc/init.d/apache2 restart

How to disable PHP signature

Open the relevant php.ini config file:

nano /etc/php5/apache2/php.ini

Find the line that says:

expose_php = On

And change it to:

expose_php = Off

Finally restart your server again for the new changes to take effect:

/etc/init.d/apache2 restart

Now your server is a little bit more secure from attackers since it will only indicate that it is an Apache server with no clues as to the version number of the modules which are installed.

Note: Disabling the “Server: Apache” line in the HTTP response header altogether cannot be readily done using configurations (if at all), and will usually have to be done by recompiling the web server binaries. If you are running such a critical application that warrants such extreme measures, this task is left up to you. The bottom line is that if your software is kept up to date, it shouldn’t matter if an attacker knows what type of web server you are running.

Advertisements

Make Passwords Asterisks visible on your Linux Terminal

display opassword on linux terminal

When you run a command with sudo in Linux, the terminal prompts you to type in your password—and doesn’t give you any visual feedback. Here’s a quick tweak that’ll bring back those familiar asterisks (*) when you type in your password.

Run the following command in terminal.

sudo visudo

Scroll down to the line that looks like this
Defaults env_reset

and change it to
Defaults env_reset,pwfeedback

Press Ctrl+X to finish editing, Y to save changes, and Enter to exit if you’re on Ubuntu. Other Linux distros may have different commands depending on the default editor.

Now, when you run a command with sudo, you should get visual feedback when you type in your password. This should work in all versions of Ubuntu after version 10.04, as well as many other versions of Linux.