《Ubuntu Server 最佳方案》(冷罡華著)介紹Apache安全一節中,講到隱藏敏感信息。使用telnet 訪問服務器的80端口,然後給出命令"HEAD / HTTP/1.0"並按兩次回車,就能顯示服務器的操作系統名稱,PHP,APACHE的版本號,給系統安全帶來隱患。
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Mon, 03 Nov 2008 01:37:59 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.3with Suhosin-Patch
Last-Modified: Mon, 03 Nov 2008 00:46:59 GMT
ETag: "34943-2d-45abe48d446c0"
Accept-Ranges: bytes
Content-Length: 45
Connection: close
Content-Type: text/html
Connection closed by foreign host.
本書的解決方法因爲apache版不同,無法通過編輯apache2.conf起作用,而是編輯/etc/apache2/conf.d/security文件,我的使用的是apache2.22,修改成:
ServerTokens Prod
ServerSignature Off