본문 바로가기

리눅스

Apache(HTTP) 및 PHP 버전 정보 노출 막기

728x90

Apache(HTTP) 및 PHP 버전 정보 노출 막기

HTTP 헤더에서 Apache 및 PHP 버전 확인

curl -I http://localhost
$ curl -I localhost
HTTP/1.1 302 Found
Date: Fri, 28 Jan 2022 01:57:45 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1k PHP/7.3.25
Location: http://www.sangchul.kr/404.html
Content-Type: text/html; charset=iso-8859-1

 

wget --server-response --spider http://localhost
  • -S,--server-response : HTTP 서버에서 보낸 헤더와 FTP 서버에서 보낸 응답을 인쇄합니다.
  • --spider : 이 옵션을 사용하여 호출하면 Wget은 웹 스파이더처럼 작동합니다. 즉, 페이지를 다운로드하지 않고 페이지가 있는지 확인하기만 하면 됩니다.

예를 들어 Wget을 사용하여 북마크를 확인할 수 있습니다.

wget --spider --force-html -i bookmarks.html

이 기능은 Wget이 실제 웹 스파이더의 기능에 가까워지려면 훨씬 더 많은 작업이 필요합니다.

$ wget --server-response --spider http://localhost
Spider mode enabled. Check if remote file exists.
--2022-01-28 10:58:40--  http://localhost/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 302 Found
  Date: Fri, 28 Jan 2022 01:58:40 GMT
  Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1k PHP/7.3.25
  Location: http://www.sangchul.kr/404.html
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Location: http://www.sangchul.kr/404.html [following]
Spider mode enabled. Check if remote file exists.
--2022-01-28 10:58:40--  http://www.sangchul.kr/404.html
Resolving www.sangchul.kr (www.sangchul.kr)... 27.0.236.139
Connecting to www.sangchul.kr (www.sangchul.kr)|27.0.236.139|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 301 Moved Permanently
  Date: Fri, 28 Jan 2022 01:58:36 GMT
  Server: Apache
  Location: https://www.sangchul.kr/404.html
  Keep-Alive: timeout=10, max=2048
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Location: https://www.sangchul.kr/404.html [following]
Spider mode enabled. Check if remote file exists.
--2022-01-28 10:58:40--  https://www.sangchul.kr/404.html
Connecting to www.sangchul.kr (www.sangchul.kr)|27.0.236.139|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Fri, 28 Jan 2022 01:58:36 GMT
  Server: Apache
  P3P: CP="ALL CURa ADMa DEVa TAIa OUR BUS IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC OTC"
  Keep-Alive: timeout=10, max=2048
  Connection: Keep-Alive
  Content-Type: text/html; charset=EUC-KR
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

아파치 설정 편집(httpd-default.conf 또는 httpd.conf 편집)

vim /usr/local/apache2/conf/extra/httpd-default.conf
  • ServerTokens Prod => 주석 처리 #ServerTokens Prod
  • ServerSignature On => Off 로 변경 ServerSignature Off
$ vim /usr/local/apache2/conf/extra/httpd-default.conf
...
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off
...

PHP 설정 편집(php.ini 편집)

php.ini 파일 찾기

php --ini
$ /usr/local/php/bin/php --ini
Configuration File (php.ini) Path: /usr/local/apache2/conf
Loaded Configuration File:         /usr/local/apache2/conf/php.ini
Scan for additional .ini files in: (none)
Additional .ini files parsed:      (none)
php -i | egrep "Configuration File"
$ /usr/local/php/bin/php -i | egrep "Configuration File"
Configuration File (php.ini) Path => /usr/local/apache2/conf
Loaded Configuration File => /usr/local/apache2/conf/php.ini

php.ini 편집

vim /usr/local/apache2/conf/php.ini
$ vim /usr/local/apache2/conf/php.ini
...
;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off
...

Apache 및 PHP 버전 확인

curl -I http://localhost
$ curl -I http://localhost
HTTP/1.1 302 Found
Date: Fri, 28 Jan 2022 02:02:19 GMT
Server: Apache
Location: http://www.sangchul.kr/404.html
Content-Type: text/html; charset=iso-8859-1

 

wget --server-response --spider http://localhost
$ wget --server-response --spider http://localhost
Spider mode enabled. Check if remote file exists.
--2022-01-28 11:02:25--  http://localhost/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 302 Found
  Date: Fri, 28 Jan 2022 02:02:25 GMT
  Server: Apache
  Location: http://www.sangchul.kr/404.html
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Location: http://www.sangchul.kr/404.html [following]
Spider mode enabled. Check if remote file exists.
--2022-01-28 11:02:25--  http://www.sangchul.kr/404.html
Resolving www.sangchul.kr (www.sangchul.kr)... 27.0.236.139
Connecting to www.sangchul.kr (www.sangchul.kr)|27.0.236.139|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 301 Moved Permanently
  Date: Fri, 28 Jan 2022 02:02:17 GMT
  Server: Apache
  Location: https://www.sangchul.kr/404.html
  Keep-Alive: timeout=10, max=2048
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Location: https://www.sangchul.kr/404.html [following]
Spider mode enabled. Check if remote file exists.
--2022-01-28 11:02:25--  https://www.sangchul.kr/404.html
Connecting to www.sangchul.kr (www.sangchul.kr)|27.0.236.139|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Fri, 28 Jan 2022 02:02:17 GMT
  Server: Apache
  P3P: CP="ALL CURa ADMa DEVa TAIa OUR BUS IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC OTC"
  Keep-Alive: timeout=10, max=2048
  Connection: Keep-Alive
  Content-Type: text/html; charset=EUC-KR
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

 

728x90