pexels-markus-spiske-1089438


此篇筆記記錄如何隱藏客戶端看到 Web Server 使用的版本號
判斷標準是用最無腦的 Browser Plug-in 當作依據,推薦使用 Wappalyzer
如果透過 CloudFlare 訪問這些敏感資訊都會被過濾掉;直接使用 IP 則否。


Apache


在主 conf 檔內加入以下內容 reload httpd 後即隱藏 httpd 版本資訊

1

vim /etc/httpd/conf/httpd.conf

1
2

ServerTokens Prod
ServerSignature Off

apache_turn_off_version_number_config

▲ Apache 隱藏版本號設定


ServerTokens Directive
ServerTokens 主要決定要塞多少資訊到 HTTP 回應標頭 (response header) 內

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

ServerTokens Full (or not specified)
    Server sends (e.g.): Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens Prod[uctOnly]
    Server sends (e.g.): Server: Apache
ServerTokens Major
    Server sends (e.g.): Server: Apache/2
ServerTokens Minor
    Server sends (e.g.): Server: Apache/2.4
ServerTokens Min[imal]
    Server sends (e.g.): Server: Apache/2.4.2
ServerTokens OS
    Server sends (e.g.): Server: Apache/2.4.2 (Unix)

ServerSignature 控制 Apache server 發生錯誤 (HTTP Error Code 例如: 404 Not Found) 產生的 “footer line” 資訊
這行也會洩漏 Apache 版本號,來做個小小實驗就能知道其中的差異。
ServerSignature Directive
dywang-隱藏敏感訊息

【實驗】ServerSignature On/Off

1
2

ServerTokens Prod
ServerSignature Off

直接看 404 Not Found 的 source code

1
2
3
4
5
6
7

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /nothisfile was not found on this server.</p>
</body></html>

接著 ServerSignature On,並 reload httpd

1
2

ServerTokens Prod
ServerSignature On

source code

1
2
3
4
5
6
7
8
9

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /nothisfile was not found on this server.</p>
<hr>
<address>Apache Server at second.207.httpd.lab Port 80</address>
</body></html>

差異就在於倒數第二行的 <address>Apache Server at second.207.httpd.lab Port 80</address>


PHP


1

vim /etc/php.ini

找到 expose_php 設定成 Off 即可

1

expose_php = Off

expose_php_off

▲ expose_php_off


Nginx


Nginx server_tokens

1

vim /etc/nginx/nginx.conf

在 http section 內加入 server_tokens off; 即可。


成果


Apache Before

1
2
3
4
5
6
7
8

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2021 05:18:36 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

apache_and_php_before

▲ Apache Before


Apache After

1
2
3
4
5
6
7

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2021 05:22:56 GMT
Server: Apache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

apache_and_php_after

▲ Apache After


Nginx Before

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

curl --head http://localhost/
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 18 Feb 2021 07:59:13 GMT
Content-Type: text/html
Content-Length: 4833
Last-Modified: Fri, 16 May 2014 15:12:48 GMT
Connection: keep-alive
ETag: "53762af0-12e1"
Accept-Ranges: bytes

Nginx After

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

curl --head http://localhost/
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Feb 2021 07:58:31 GMT
Content-Type: text/html
Content-Length: 4833
Last-Modified: Fri, 16 May 2014 15:12:48 GMT
Connection: keep-alive
ETag: "53762af0-12e1"
Accept-Ranges: bytes