Server Hardening Linux Applications

Posted on January 20, 2017 by marskarthik

OS Harden
sysctl -w net.ipv4.ip_default_ttl=128 (changed it right then)

and add

net.ipv4.ip_default_ttl = 128 to /etc/sysctl.conf (so it applys at reboot)

______________________________________________________

APACHE AND PHP

ServerSignature Off
ServerTokens Prod

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

Hide Apache Information

To hide the information, add the following two apache directives in Apache configuration file /etc/apache2/apache2.conf

ServerTokens ProductOnly

ServerSignature Off

Now you need to restart your web server using the following command

#/etc/init.d/apache2 restart

Now the output for apache header looks like below

Server: Apache

Hide PHP Version Details

If you want to hide the PHP version you need to edit the /etc/php4/apache/php.ini(For php4 users) file and /etc/php5/apache/php.ini (For php5 users)

Change the following option

expose_php On

to

expose_php Off

Now you need to restart your web server using the following command

#/etc/init.d/apache2 restart

After making this change PHP will no longer add it’s signature to the web server header.

If you are running php from cli against a php file, the output is a html file (as seen by a browser). In some distributions (like Debian) the php-cli is controlled by a different php.ini file (/etc/php[4,5]/cli/php.ini).

______________________________________________________

SQUID

disable cache admin email address
change visible_hostname BlahBlahBlah!!!
change unique_hostname BlahBlahBlah!!!
To disable version info on error pages and http header
httpd_suppress_version_string on

icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all

forwarded_for off
___________________________
Webmin and Usermin

change the default ports 10000 and 20000

Change the value of server entry both in webmin and usermin miniserv.conf
/etc/webmin/miniserv.conf
/etc/usermin/miniserv.conf

server=HIDDENSERVER/999.999
realm=Hidden Server
port=1000
listen=1000

restart

service webmin restart
service usermin restart

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *