Date: 2007nov7
Updated: 2024aug12
Keywords: Security Through Obscurity, hide, Prod, signature
Q. Can I make my Internet-facing daemons more secure?
A. Its a good idea not to give potential hackers the name
and version of your server. They might know a exploit for it.
Many Linux servers do just this by default.
You can change the following configuration files to display
a generic greeting:
Dovecot
-------
File /etc/dovecot.conf
login_greeting = IMAP/POP Server ready
vsftpd
------
File /etc/vsftpd/vsftpd.conf
ftpd_banner=FTP Server ready
Proftpd
-------
File /etc/proftpd.conf
ServerIdent on "FTP Server ready"
Postfix
-------
File /etc/postfix/main.cf
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
mail_name = The-Mailer
Jetty
-----
In file $JETTYHOME/etc/jetty.xml
Set this to false at the bottom:
<Set name="sendServerVersion">false</Set>
Apache
------
File /etc/httpd/conf/httpd.conf
ServerTokens ProductOnly
ServerSignature Off
Nginx
-----
File /etc/nginx/nginx.conf
http {
...
server_tokens off;
}
Test
----
Restart the services and check with these commands:
telnet localhost pop3 </dev/null
sleep 1 | telnet localhost ftp
telnet localhost smtp </dev/null
Test Apache by visiting a page that doesn't exist:
http://www.example.com/page_that_does_not_exist
PHP
---
If you run PHP scripts then you have many public URLs ending in .php
which tells everyone that they are written in PHP. But they don't have to
end in that extension.
In file /etc/httpd/conf.d/php.conf change:
AddHandler php5-script .php
AddType text/html .php
to
AddHandler php5-script .hello
AddType text/html .hello
Then rename your scripts. Of course, you can use any extension that isn't
already in use -- such as your company name.
And in your /etc/php.ini set:
expose_php = Off
To remove the X-Powered-By: php <version> header
Port knocking
-------------
Using knockd you can make a port appear to be closed until a friendly user
accesses a sequence of other ports. Crazy obscure.