Security by obscurity
This simple guide will help you secure your server in indirect way by hiding software versions from possible attackers. This can help you prevent many automated attacks and attacks based on software version number. If a hacker want’s to probe your system for hole he’ll start from collecting all version numbers from your running services. This guide will teach you setup common services not to give away their version numbers. This is called Security by obscurity and it’s not something to rely on but it can lower chances of getting your system hacked.
Apache (Web Server)
Let’s start with Apache first. It’s config file should at path
/etc/httpd/conf/httpd.conf
Open that with an editor of choice. For beginners I always suggest Midnight Commander but if you’re more experienced you can use antother editor like pico or vi. Anyway, in MC open file for editing by pressing F4 while the file is selected.
Locate those two lines and set it as follows. If you cant find them – add them.
ServerSignature Off ServerTokens Prod
Server Signature will remove the identification of Apache version from error pages, and ServerTokens will identify Apache as “apache” without version number or OS information. Save the file and restart the Apache.
service httpd restart
Named (DNS Server)
Next we will disable named from giving away his version. Open named config file at path
/etc/named.conf
Search for line
query-source address * port 53;
Add a line right below it with add (if it doesn’t exist)
version "Named";
Save and restart named using
service named restart
Exim (Email Server)
Next we will disable the version numbers in Exim. If you are not running Exim there is no need to do this section. Exim config is at path
/etc/exim.conf
and if it could not be located, it probably means that you do not use Exim. Search for
smtp_banner = "${primary_hostname}"
This is the welcome message for the email server. You can put anything in here. Here’s a sample message
smtp_banner = "${primary_hostname} MailServer \n\We do not authorize the use of this system to transport unsolicited, \n\and/or bulk e-mail."
Save the config and restart Exim.
service exim restart
Remeber this is just security though obscurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place by automated scanning. It will not help at all if somebody is trying to actually hack the server.
NOTE:
- This guide will just hide software version numbers from possible hacker. The less they know the weaker they are so Shhhhh!!!!
- Use this information at your risk. I’m not responsible for any damage that may occur by (mis)use of this data.
Source: eth0.us
