How to use obscurity to improve security (a tiny bit)

Armijn Hemel, April 10, 2009, 4265 views.

Tags: administration, apache, linux, mail, security

Security on the Internet is an ongoing battle. Every admin will see tons of attacks on services on his/her system every day. A large amount of these attacks are automated through hacking scripts that exploit known holes. Dumb hacking scripts try tons of exploits until one succeeds. Smart hacking scripts first try to determine the version of the server and then try to find the proper exploit.

Many admins make it very easy for the crackers by leaving a lot of information in the banners that a service returns. A common one is the banner for Apache httpd. An example of that looks like this:

Server: Apache/2.0.59 (FreeBSD) PHP/4.4.7 with Suhosin-Patch DAV/2

It is trivial for anyone to get this information, either manually or automatically with a script. With this information you can easily see for example which version of PHP is running and if it is patched or not. Without this information it is already a lot harder for an attacker to select the right exploit, making your machine a target that is a little bit less attractive.

There are a lot services that have versions in banners which on a production server have no use than making it easier for crackers. Making these banners to disappear is not hard at all.

Apache httpd

In the Apache httpd config you can find the following line:

ServerTokens Full

which lets Apache display version information, including the OS version and which modules are present.

Sometimes you will see:

ServerTokens OS

which only displays the version of Apache and the operating system it runs on.

If you change this into:

ServerTokens Prod

and restart httpd the banner will just say that the server is Apache and nothing else.

PHP

Many webapps are written in PHP. There are lots of known exploits for nearly all PHP versions. Advertizing the PHP version number is therefore not very smart. Disabling the PHP version number is quite easy:

Adapt the following rule in php.ini (or add it when it is not there):

expose_php = Off

After a restart of httpd it is a lot harder to determine which version of PHP is being used.

Postfix

Default installs of Postfix usually have the version number disabled, but it could be that it actually is enabled. It would look something like this:

220 mail.example.com ESMTP Postfix (2.3.6)

You can fix this by adapting the smtpd_banner value in main.cf:

smtpd_banner = $myhostname ESMTP $mail_name

vsftpd

Like in Postfix you can set the banner of vsftpd in the configuration. If this is not set by default the version number will be shown:

220 (vsFTPd 2.0.5)

In the vsftpd configuration you can replace this, for example by something which does not show any information about which server is in use:

ftpd_banner=FTP

After restarting vsftpd this the only thing that will be displayed in the banner.

Final thoughts

Security through obscurity will not save you from real attacks, but it will make your machine just a little bit less attractive than other machines. It is just a small roadbump, nothing more, and nothing less. Never rely on just one line of defense, but have a multi-layered security approach.