Basic Security Tips to Hide Apache/PHP Version

1. Hide Apache Server Information

 

Setup ServerTokens Directive:

The ServerTokens directive controls whether Server response header field which is sent back to clients includes the generic OS details. Read More about ServerTokens


There are following options can be configured with the response values when use that. Use one of below on basis of server.

ServerTokens Prod    # Server sends (e.g.): Server: Apache

ServerTokens Major   # Server sends (e.g.): Server: Apache/2

click here for more option’s to use with ServerTockens directive

 

Setup ServerSignature Directive

The ServerSignature configures the footer on server-generated documents. Edit Apache configuration file and search ServerSignature directive and update it. Read More about ServerSignature

ServerSignature  Off

 

2. Hide PHP Version

By Default PHP installation exposes to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (Eg:, X-Powered-By: PHP/5.4.20). Read More

To hide this values from header edit php.ini and update below directive to Off

expose_php = Off

 

3. Restart Apache and Verify Changes

Restart Apache server to reload changes.

# service httpd restart

You have make necessary changes in your server. Now again use below command after making all changes and compare output with earlier results.

# wget --server-response --spider http://wordpress.tecadmin.net

--18:22:20--  http://wordpress.tecadmin.net/
Resolving wordpress.tecadmin.net... 192.168.1.11
Connecting to wordpress.tecadmin.net|192.168.1.11|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Mon, 07 Oct 2013 07:45:18 GMT
   Server: Apache      
  Connection: close
  Content-Type: text/html; charset=UTF-8
Length: unspecified [text language="/html"][/text]
200 OK 

http://httpd.apache.org/docs/2.2/mod/core.html#servertokens 

How to install Awstats with IIS 7.5

How to install Awstats with IIS 7.5

Download and Install

ActiveState ActivePerl – http://www.activestate.com/activeperl

AWStats Installer (awstats-7.0.exe)  http://awstats.sourceforge.net/#DOWNLOAD or Zip file.

Open cmd run as administrator go to below path and press command.

C:\Perl64>ap-iis-config add all

Moving the AWStats site into place

Go to your AWStats install folder

(mine is C:\Program Files (x86)\AWStats\wwwroot\ )

Copy these folders and files to your website folder (C:\inetpub\awstats)

Copy paste  awstats.model.conf file in cgi directory  to awstats.domain.conf name and make modification like below.

Here are a few settings of interest according to the setup above:

·         LogFile="C:/inetpub/logs/LogFiles/W3SVC3/u_ex140206.log"

·         LogType=W

·         LogFormat=2

·         SiteDomain="domain.com"

·         HostAliases="localhost 127.0.0.1 REGEX[myserver\.com$]"

·         DirData="."

·         DirCgi="/cgi-bin"

·         DirIcons="/icon"

·         DefaultFile=”index.php index.html”

Once you have saved your configuration file, run the AWStats Perl Script to compile the stats data. The command looks like this:

C:\inetpub\wwwroot\awstats>C:\Perl\bin\perl.exe awstats.pl -config=domain.com

Cross check Awstas report thttp://domain.com/cgi-bin/awstats.pl

For Update log Information

c:\inetpub\wwwroot\awstats-7.2\wwwroot\cgi-bin>awstats.pl -config= domain.com --update

c:\inetpub\wwwroot\awstats-7.2\wwwroot\cgi-bin>awstats.pl perl awstats.pl -config= domain.com -output -staticlinks > awstats.domain.html

perl awstats.pl -config=domain.com -output=alldomains -staticlinks > awstats.domain.com.alldomains.html

perl awstats.pl -config=domain.com -output=allhosts -staticlinks > 

awstats.domain.com.allhosts.html

perl awstats.pl -config=domain.com -output=lasthosts -staticlinks > awstats.domain.com.lasthosts.html

perl awstats.pl -config=domain.com -output=unknownip -staticlinks > awstats.domain.com.unknownip.html

perl awstats.pl -config=domain.com -output=alllogins -staticlinks > awstats.domain.com.alllogins.html

perl awstats.pl -config=domain.com -output=lastlogins -staticlinks > awstats.domain.com.lastlogins.html

perl awstats.pl -config=domain.com -output=allrobots -staticlinks > awstats.domain.com.allrobots.html

perl awstats.pl -config=domain.com -output=lastrobots -staticlinks > awstats.domain.com.lastrobots.html

perl awstats.pl -config=domain.com -output=urldetail -staticlinks > awstats.domain.com.urldetail.html

perl awstats.pl -config=domain.com -output=urlentry -staticlinks > awstats.domain.com.urlentry.html

perl awstats.pl -config=domain.com -output=urlexit -staticlinks > awstats.domain.com.urlexit.html

perl awstats.pl -config=domain.com -output=browserdetail -staticlinks > awstats.domain.com.browserdetail.html

perl awstats.pl -config=domain.com -output=osdetail -staticlinks > awstats.domain.com.osdetail.html

perl awstats.pl -config=domain.com -output=unknownbrowser -staticlinks > awstats.domain.com.unknownbrowser.html

perl awstats.pl -config=domain.com -output=unknownos -staticlinks > awstats.domain.com.unknownos.html

perl awstats.pl -config=domain.com -output=refererse -staticlinks > awstats.domain.com.refererse.html

perl awstats.pl -config=domain.com -output=refererpages -staticlinks > awstats.domain.com.refererpages.html

perl awstats.pl -config=domain.com -output=keyphrases -staticlinks > awstats.domain.com.keyphrases.html

perl awstats.pl -config=domain.com -output=keywords -staticlinks > awstats.domain.com.keywords.html

perl awstats.pl -config=domain.com -output=errors404 -staticlinks > awstats.domain.com.errors404.html

How to work .htaccess with IIS7 for windows php

By replacing IIS with Apache.  IIS doesn't natively use .htaccess files.

For this script, look at ISAPIRewrite, don't know how it works in IIS 7 but it would do these in IIS 6 fine.  Or configure your own rewrite module.

See:  http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1262

http://thomas.bindzus.me/tag/iis-7-import-htaccess-files/

No CSS is applied, the problem seems to be that index.php is not removed properly, this is caused by missing rewrite rules which should be configured for the web site through IIS Manager, so open the URL Rewrite tool by double-clicking on the icon:

http://www.microsoft.com/en-in/download/details.aspx?id=7435

http://www.tc33.org/web-development/php/installing-phps-intl-extension-on-windows-with-pecl/

1. Insert in php.ini: extension=php_intl.dll
2. Insert in php.ini:
[intl]
intl.default_locale = en_utf8
intl.error_level = E_WARNING

Below dll should be prsent in php folder

    icudt49.dll
    icuin49.dll
    icuio49.dll
    icule49.dll
    iculx49.dll
    icutu49.dll
    icuuc49.dll

http://blog.richardknop.com/2011/09/making-zend-framework-run-under-iis/

http://zend-framework-community.634137.n4.nabble.com/Zend-Server-IIS7-5-Zend-Framework-HTACCESS-td660271.html

add web.config file under public_html folder with below contain



   
       
           
               
               
           
       
       
           
               
               
                   
                   
                       
                       
                   
                   
               
               
                   
                   
                   
               
           
       
   

Features

• Rules-based URL rewriting engine
• Rules-based response rewriting engine
• Support for custom .NET rewrite providers
• Regular expression pattern matching
• Wildcard pattern matching
• Global and distributed rewrite rules
• Rewriting within the content of specific HTML tags
• Pre-conditions for outbound rules
• Access to server variables and HTTP headers
• Rewriting of server variables and HTTP request headers
• Rewriting of HTTP response headers
• Allow list for server variables
• HtmlEncode function
• Built-in rule templates
• Reverse proxy rule template
• Rule templates for Search Engine Optimization
• Various rule actions including redirect and request abort
• Tracking capture groups across rule conditions
• Logging of rewritten URLs
• Updated user interface in IIS Manager
• Integrated user interface for managing rewrite rules and rewrite maps
• Integrated user interface for importing of Apache mod_rewrite rules
• Integrated user interface for testing regular expression and wildcard patterns
• Support for IIS kernel-mode and user-mode output caching
• Lowercase conversion function
• Rewrite maps to generate the substitution URL during rewriting
• Failed Request Tracing support

Cheker

 URL which infrom you page contain are secure valid or not

http://www.whynopadlock.com

Gzip Enable or not for website

http://www.whatsmyip.org/more-info-about-you/

SSL Checker URL

http://www.sslshopper.com/ssl-checker.html

http://www.digicert.com/help/

https://sslcheck.globalsign.com/en_US

How to Generating a Certificate Signing Request (CSR) - Apache 2.x & install SSL

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  
Common Name: The fully-qualified domain name, or URL, you're securing.If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com. 
Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name. 
Organization Unit: If applicable, enter the DBA (doing business as) name. 
City or Locality: Name of the city where your organization is registered/located. Do not abbreviate. 
State or Province: Name of the state or province where your organization is located. Do not abbreviate. 
Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.  
       
Open the CSR in a text editor and copy all of the text.
Paste the full CSR into the SSL enrollment form in your account.

    ServerAdmin user@email.com

    DocumentRoot /home/example/public_html/web

    Options -Indexes FollowSymLinks

    AllowOverride All

    Order allow,deny

    Allow from all

DirectoryIndex  index.php index5.php index.html index.htm index.shtml index.php4 index.php3 index.phtml index.cgi

    ServerName www.example.com

    ServerAlias example.com

    SSLEngine on

    SSLCertificateFile /etc/httpd/conf.d/certfiles/example.com.crt

    SSLCertificateKeyFile /etc/httpd/conf.d/certfiles/example.key

    SSLCertificateChainFile /etc/httpd/conf.d/certfiles/gd_bundle.crt

    ErrorLog logs/exampleerror.log

    CustomLog logs/exampleaccess.log combined

 

HOWTO: Install/Setup JBoss (centos 6.X)

cd /tmp/
wget http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Final.zip
unzip -q jboss-as-7.1.1.Final.zip
mv jboss-as-7.1.1.Final /usr/share/
ln -s /usr/share/jboss-as-7.1.1.Final/  /usr/share/jboss-as
useradd jboss-as
chown -R jboss-as:jboss-as /usr/share/jboss-as /usr/share/jboss-as-7.1.1.Final/

mkdir /var/run/jboss-as
chown -R jboss-as:jboss-as jboss-as
mkdir /etc/jboss-as/
cp /usr/share/jboss-as/bin/init.d/jboss-as.conf /etc/jboss-as/

vi /etc/jboss-as/jboss-as.conf

and un-comment the following lines

JBOSS_USER=jboss-as
JBOSS_CONSOLE_LOG=/var/log/jboss-as/console.log

mkdir /var/log/jboss-as
chown jboss-as:jboss-as /var/log/jboss-as

cp /usr/share/jboss-as/bin/init.d/jboss-as-standalone.sh /etc/init.d/jboss
chkconfig jboss on

cd /usr/share/jboss-as/standalone/configuration/
vi standalone.xml

and look for 127.0.0.1 and replace them to 0.0.0.0

275 
276 
277 
278 
279 
280 
281 
282 
283 
284 
288 
289 
290       

/etc/init.d/jboss start

default ports for the jboss can be found in the standalone.xml file

291 
292 
293 
294 
295 
296 
297 
298 
299 
300 
301 
302 
303 
304 
305     

How to Use ssh without password

Login into server1 and run the following commands.

ssh-keygen -t rsa 

ssh user@server2 mkdir -p .ssh 

cat .ssh/id_rsa.pub | ssh user@server2 'cat >> .ssh/authorized_keys' 

ssh user@server2 "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

Now try to login to server2, it will won’t prompt you to enter password. Try and let me know.

ssh user@server2