Home >Backend Development >PHP Tutorial >Summary of methods to hide PHP version and apache version_PHP tutorial

Summary of methods to hide PHP version and apache version_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 10:47:46848browse

Today I discovered that you can use webmaster tools or some related tools to directly check the php version number and apache version number used by the server. This is very unsafe for the website. If there is a problem with these versions, some people can It’s done directly. Let’s take a look at the method of hiding the version. Unfortunately, I haven’t found a solution yet under Windows.

Hide PHP version

For security reasons, it is best to hide the PHP version to avoid some attacks caused by PHP version vulnerabilities.

1. Hiding the PHP version means hiding the information "X-Powered-By: PHP/5.2.13".

The method is very simple:

Edit the php.ini configuration file, modify or add: expose_php = Off After saving, restart the corresponding web server such as Nginx or Apache.

The code is as follows Copy code
 代码如下 复制代码

[root@bkjz /]# curl -I www.bKjia.c0m
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 20 Jul 2010 05:45:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding

[root@bkjz /]# curl -I www.bKjia.c0m

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 20 Jul 2010 05:45:13 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive

Vary: Accept-Encoding


The PHP version has been completely hidden.

Hide Apache version number
 代码如下 复制代码

[root@localhost tmp]# curl -I 192.168.80.128:88
HTTP/1.1 403 Forbidden
Date: Wed, 21 Jul 2010 13:09:33 GMT
Server: Apache/2.2.15 (CentOS)
Accept-Ranges: bytes
Content-Length: 5043
Connection: close
Content-Type: text/html; charset=UTF-8

Generally, software vulnerability information is related to a specific version, so the software version number is very valuable to attackers.

 代码如下 复制代码

vim /etc/httpd/conf/httpd.conf

By default, the system will display all Apache version modules (http returns header information). If a directory is listed, the domain name information (text of the file list) will be displayed, such as:

The code is as follows Copy code
[root@localhost tmp]# curl -I 192.168.80.128:88

HTTP/1.1 403 Forbidden Date: Wed, 21 Jul 2010 13:09:33 GMT Server: Apache/2.2.15 (CentOS)

Accept-Ranges: bytes

Content-Length: 5043 Connection: close Content-Type: text/html; charset=UTF-8

Hide method:

 代码如下 复制代码

apachectl restart

1. The way to hide the Apache version number is to modify the Apache configuration file. For example, the default for RedHat Linux is:

The code is as follows Copy code
vim /etc/httpd/conf/httpd.conf
 代码如下 复制代码

[root@localhost tmp]# curl -I 192.168.80.128:88
HTTP/1.1 403 Forbidden
Date: Wed, 21 Jul 2010 13:23:22 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 5043
Connection: close
Content-Type: text/html; charset=UTF-8

Search for the keywords ServerTokens and ServerSignature respectively, modify: ServerTokens OS is modified to ServerTokens ProductOnly ServerSignature On is changed to ServerSignature Off 2. Just restart or reload Apache.
The code is as follows Copy code
apachectl restart
Test it as follows:
The code is as follows Copy code
[root@localhost tmp]# curl -I 192.168.80.128:88 HTTP/1.1 403 Forbidden Date: Wed, 21 Jul 2010 13:23:22 GMT Server: Apache Accept-Ranges: bytes Content-Length: 5043 Connection: close Content-Type: text/html; charset=UTF-8

The version number and operating system information have been hidden.

3. The above method is for Apache installed by default. If it is compiled and installed, you can also use the method of modifying the source code to compile:

Go to the include directory under the Apache source code directory, and then edit the ap_release.h file. You will see the following variables:

#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 2
#define AP_SERVER_PATCHLEVEL_NUMBER 15
#define AP_SERVER_DEVBUILD_BOOLEAN 0
The code is as follows
 代码如下 复制代码

#define AP_SERVER_BASEVENDOR “Apache Software Foundation”
#define AP_SERVER_BASEPROJECT “Apache HTTP Server”
#define AP_SERVER_BASEPRODUCT “Apache”

#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 2
#define AP_SERVER_PATCHLEVEL_NUMBER 15
#define AP_SERVER_DEVBUILD_BOOLEAN 0

Copy code

#define AP_SERVER_BASEVENDOR “Apache Software Foundation”
#define AP_SERVER_BASEPROJECT “Apache HTTP Server”
#define AP_SERVER_BASEPRODUCT “Apache”

You can modify or hide the version number and name according to your own preferences. I haven’t found a way to hide the Apache and PHP version numbers under Windows yet. I will update it below if I find it. http://www.bkjia.com/PHPjc/632828.htmlwww.bkjia.com
true
http: //www.bkjia.com/PHPjc/632828.html
TechArticleToday I found that using webmaster tools or some related tools can directly check the php version number and apache used by the server version number, this is very unsafe for the website, if this...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn