Security is a major concern in today’s world. Hackers will take every possible opportunity to deface your website and exploit the system. Ensuring the security for a website or web application should be done in both ways – securing the web application as well as securing the web server. Today we shall discuss how you can tweak some security options on your LAMP Stack.

Whenever a web server serves the responses to web browsers (or other clients), the server provides some “header information”. By default Apache (the “A” in LAMP) web server publishes much details about the environment. PHP also exposes itself sometimes in the headers. An expert hacker shall take advantage of the information collected from these headers. If you know the operating system, the web server, version of scripting engine and other minor but important bits of a hosting environment, it becomes quite easy for an attacker to find specific bugs or security flaws in those technologies and exploit them. You should always upgrade your available technologies but most importantly you should never let these sensitive information leak out in the wild. Luckily we can configure both Apache and PHP to remain silent while keeping the potential abusers in the dark.

These configuration requires administrative privileges on the system. The tutorial covers Ubuntu Linux and assumes that you have the required level of permissions to make these changes.

Configuring Apache

In case something bad happens, we should first back up the default apache configuration file so that we can always restore. Use this command to back it up:

sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.bak

Now, let’s edit the configuration file:

sudo nano /etc/apache2/apache2.conf

Nano is a very smart and powerful text editor on the terminal. If you (unfortunately enough) don’t have nano installed, you can install it by typing:

sudo apt-get install nano

If you have nano (I hope you have) already, skip this step. You should now see the configuration file open in the terminal:
Press the down arrow to scroll down to the section that reads “ServerTokens Full”. This portion asks the apache to send full information in the headers. That is not what we want. If you look at the text, you can see the available options. We shall go for “Prod” which emits the least information. So, let’s change it so that it now reads “ServerTokens Prod”. Now, scroll down a bit more and find the “ServerSignature On” and change it to “ServerSignature Off”. Now press Ctrl + O to save the changes and then Ctrl + X to exit.

Configuring PHP

Now, we need to do the same thing for PHP. First, back up the original PHP configuration file:

sudo cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.bak

Open the configuration file:

sudo nano /etc/php5/apache2/php.ini

Change “expose_php = On” to “expose_php = Off”. Like before, press Ctrl + O to save the changes and then Ctrl + X to exit.
After configuring PHP and Apache, we need to restart the web server so that the changes take affect. Remember, this is very important. The settings will not be active until you reload the server.

sudo /etc/init.d/apache2 restart

In the coming posts, I shall try to focus on the different aspects of web application securities.