Apache PHP Fingerprinting

last edit .. by This article should bundle some of the best practices for Apache/PHP fingerprinting to make your webserver a little more secure!

Apache
Here is a nice article for some of the basics!

The following configuration should be made in your "httpd.conf".

Disable server information prompt on error page
ServerSignature Off

Disable server detail information prompt in HTTP header
ServerTokens Prod

Change "Server: Apache" to what you want
To get rid of the "Server: Apache" message in the HTTP header you have (as we know) only two choices.

First: Change the Apache source & compile your Apache yourself
You can change the product name & version in the Apache sources. Just download the httpd-package from apache.org and extract it. Once extracted you have to edit the "include/ap_release.h". There you can change BASEPRODUCT / BASEPROJECT / BASEVENDOR & the versions.

Second: Install & configure ModSecurity
Haven't tested that yet but the ModSecurity reference manual describes it well.

PHP
The configuration is made via the "php.ini". Here is another nice article for PHP.

Disable PHP X-Powered-By
expose_php=off

Testing your settings
All you need to test if your settings were successfull is a telnet client.

Telnet test
This is a example how to see your HTTP header.

HEAD / HTTP/1.0 test 
 * 1) telnet text.xy.com 80

The output of the above sample should be:

HTTP/1.1 400 Bad Request Date: Thu, 02 Feb 2012 19:38:27 GMT Server: Apache Connection: close Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.

W3AF
Just install the Web Application Attack and Audit Framework and make a scan of your website via the "Wizard". With the above settings there should be no detailed information of your webserver, only "Server: Apache".

Links
Task learn how to secure Apache and PHP by hiding version information and other information Apache HTTP Server modsecurity.org ModSecurity reference manual Apache Tips & Tricks: Hide PHP version (X-Powered-By) Web Application Attack and Audit Framework