|
Apacheのサーバ情報を表示しないServerSignature,ServerTokens,expose_php
Apacheのサーバ情報を表示しないServerSignature,ServerTokens,expose_php
0.改訂履歴
- 2006.12.13 新規作成
- 2006.12.19 装飾忘れを修正
1.はじめに
このドキュメントでは,Apacheのセキュリティ向上・対策の為に,httpd.confにあるServerSignatureやServerTokensパラメータ,およびPHP.INIファイルのexpose_phpを使って,Webサーバのバージョン情報等が漏洩しないように設定する手順を説明する. バージョンを表示させないことで攻撃を遅らせる事が目的で,根本的な対処ではないが,既存システム影響範囲が少なく作業も簡単な対策である.
なお,使用しているOSは,RedHat Linux ES上で稼働している.
2.ServerSignatureの設定
- ServerSignatureパラメータは,Apacheが生成したページで,署名を表示させるか否かを設定する.
- この設定は,Apache1.3以降で利用可能となる.
- 署名の内容について,パラメータを変更してテストしてみる.
- httpd.confで,ServerSignature部分を確認する.
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature On
# EBCDIC configuration:
|
- デフォルトでは,onとなっている.
- この状態で,HTTPリクエストで,存在しないファイルをリクエストしてみる.
[root@venus root]# curl http://localhost/aho.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /aho.html was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.37 Server at 127.99.99.99 Port 80</ADDRESS>
</BODY></HTML>
[root@venus root]#
|
- サーバのバージョンが表示される.
- Emailオプションを試す.
- 次のように,httpd.confを修正する.
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
#ServerSignature On
ServerSignature Email
|
- Apacheを再起動して,リクエストを出してみる.
[root@venus root]# /usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl stop: httpd stopped
[root@venus root]# /usr/local/apache/bin/apachectl start
/usr/local/apache/bin/apachectl start: httpd started
[root@venus root]# curl http://localhost/aho.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /aho.html was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.37 Server at <A HREF="mailto:admin@venus">127.99.99.99
</A> Port 80</ADDRESS>
</BODY></HTML>
[root@venus root]#
|
- httpd.confのServerAdminパラメータで設定した管理者メールアドレスが表示される.
- スパムメールのアドレス収集は,こういうところからも漏れるかもしれない.
- よって,何も表示させないようにする.
- httpd.confにて,ServerSignatureをoffに設定する.
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
#ServerSignature On
ServerSignature Off
|
[root@venus root]# /usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl stop: httpd stopped
[root@venus root]# /usr/local/apache/bin/apachectl start
/usr/local/apache/bin/apachectl start: httpd started
[root@venus root]# curl http://localhost/aho.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /aho.html was not found on this server.<P>
</BODY></HTML>
[root@venus root]#
|
- シグネチャに価する項目が表示されなくなった事が確認できた.
3.ServerTokens
- ServerTokensは,HTTPリクエスト内のヘッダに表示される情報をコントロールする.
- デフォルトではfullというステータスになっていて,全ての情報を表示することになる.
- httpd.confで設定を行うが,デフォルトでは記述無いので自分で追加を行う.
- まずは,full状態の動作を確認する.
[root@venus root]# curl -I http://localhost
HTTP/1.1 200 OK
Date: Wed, 13 Dec 2006 02:16:56 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0
Content-Location: index.html.ja.jis
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Thu, 06 Jan 2005 12:11:39 GMT
ETag: "2x0099-007-41dd2afb;45674abc"
Accept-Ranges: bytes
Content-Length: 1799
Content-Type: text/html; charset=iso-2022-jp
Content-Language: ja
[root@venus root]#
|
- ApacheとPHPのバージョンなどが表示されている.
- Minimalを試してみる.
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
#ServerSignature On
ServerSignature Off
ServerTokens Minimal
|
[root@venus root]# /usr/local/apache/bin/apachectl stop;sleep 1; /usr/local/apach
e/bin/apachectl start
[root@venus root]# curl -I http://localhost
HTTP/1.1 200 OK
Date: Wed, 13 Dec 2006 02:12:42 GMT
Server: Apache/1.3.37
Content-Location: index.html.ja.jis
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Thu, 06 Jan 2005 12:11:39 GMT
ETag: "2x0099-007-41dd2afb;45674abc"
Accept-Ranges: bytes
Content-Length: 1799
Content-Type: text/html; charset=iso-2022-jp
Content-Language: ja
[root@venus root]#
|
- Apacheのバージョンだけになった.
- OSを試してみる.
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
#ServerSignature On
ServerSignature Off
ServerTokens OS
|
[root@venus root]# curl -I http://localhost
HTTP/1.1 200 OK
Date: Wed, 13 Dec 2006 02:13:41 GMT
Server: Apache/1.3.37 (Unix)
Content-Location: index.html.ja.jis
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Thu, 06 Jan 2005 12:11:39 GMT
ETag: "2x0099-007-41dd2afb;45674abc"
Accept-Ranges: bytes
Content-Length: 1799
Content-Type: text/html; charset=iso-2022-jp
Content-Language: ja
[root@venus root]#
|
- バージョンとプラットフォームが表示された.
- ProductOnlyを試してみる.
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
#ServerSignature On
ServerSignature Off
ServerTokens ProductOnly
|
[root@venus root]# /usr/local/apache/bin/apachectl stop;sleep 1; /usr/local/apach
e/bin/apachectl start
/usr/local/apache/bin/apachectl stop: httpd stopped
/usr/local/apache/bin/apachectl start: httpd started
[root@venus root]# curl -I http://localhost
HTTP/1.1 200 OK
Date: Wed, 13 Dec 2006 02:15:57 GMT
Server: Apache
Content-Location: index.html.ja.jis
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Thu, 06 Jan 2005 12:11:39 GMT
ETag: "2x0099-007-41dd2afb;45674abc"
Accept-Ranges: bytes
Content-Length: 1799
Content-Type: text/html; charset=iso-2022-jp
Content-Language: ja
[root@venus root]#
|
- Apacheとだけ,表示された.
- クライアント側の動作に影響がないと考えられるので,ProductOnlyにする事を推奨する.
4.expose_php
- このパラメータは,ApacheではなくPHP.INIを編集することになる.
- まずは,ServerTokensをfullの状態で,どのように表示されているか確認する.
[root@venus root]# curl -I http://localhost
HTTP/1.1 200 OK
Date: Wed, 13 Dec 2006 02:16:56 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0
Content-Location: index.html.ja.jis
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Thu, 06 Jan 2005 12:11:39 GMT
ETag: "2x0099-007-41dd2afb;45674abc"
Accept-Ranges: bytes
Content-Length: 1799
Content-Type: text/html; charset=iso-2022-jp
Content-Language: ja
[root@venus root]#
|
- /usr/local/lib/php.iniファイルを,次のように編集する.
;
; Misc
;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
;expose_php = On
expose_php = Off
|
[root@venus root]# /usr/local/apache/bin/apachectl stop;sleep 1; /usr/local/apac
he/bin/apachectl start
/usr/local/apache/bin/apachectl stop: httpd stopped
/usr/local/apache/bin/apachectl start: httpd started
[root@venus root]# curl -I http://localhost
HTTP/1.1 200 OK
Date: Wed, 13 Dec 2006 02:24:53 GMT
Server: Apache/1.3.37 (Unix)
Content-Location: index.html.ja.jis
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Thu, 06 Jan 2005 12:11:39 GMT
ETag: "2x0099-007-41dd2afb;45674abc"
Accept-Ranges: bytes
Content-Length: 1799
Content-Type: text/html; charset=iso-2022-jp
Content-Language: ja
[root@venus root]#
|
- PHPの情報が表示されなくなったことが確認できた.
|
|