Server vulnerabilities with Apache & PHP

WebHostingUK

Verified User
Joined
Dec 10, 2017
Messages
36
2 Issues when testing with security.firewallmonitor.org/ im getting the following

ServerSignature Off
ServerTokens Prod

I'm needing main file location to change these values

AND ALSO...

This is what the server is responding with:
PHP/7.2.24

"How to Fix
PHP: Edit the php.ini file and modify the following value
expose_php = Off"

I've already made edits to PHP versions 7.3 and 7.2 by using "php --ini" and editing the following files

/usr/local/php73/lib/php.ini
/usr/local/php72/lib/php.ini

then updating custombuild, but its showing that they've not been fixed when I check using my website but if I check using the hostname it has fixed it.
 
Last edited:

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,461
Hiding these is what I would call security by obscurity, and it provide no security at all. It is not worth it. The best thing is just make sure to alway run the latest versions. It is discussed here: https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea - here is one quote I like:

Security through obscurity can be said to be bad because it often implies that the obscurity is being used as the principal means of security. Obscurity is fine until it is discovered, but once someone has worked out your particular obscurity, then your system is vulnerable again. Given the persistence of attackers, this equates to no security at all.
Actually, I would never hide those versions, even if DirectAdmin made it easy to do. Hacker run bots wich blindly scan for vulnerabilities, and don't care if you run a version wich does not have the vulnerabilities or not, they just scan for vulnerabilities blindly, and they are not interested in spending time looking at what versions of software you are actually running.
 
Last edited:

WebHostingUK

Verified User
Joined
Dec 10, 2017
Messages
36
Hiding these is what I would call security by obscurity, and it provide no security at all. It is not worth it. The best thing is just make sure to alway run the latest versions. It is discussed here: https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea - here is one quote I like:



Actually, I would never hide those versions, even if DirectAdmin made it easy to do. Hacker run bots wich blindly scan for vulnerabilities, and don't care if you run a version wich does not have the vulnerabilities or not, they just scan for vulnerabilities blindly, and they are not interested in spending time looking at what versions of software you are actually running.
Ok, I still need the main PHP file to change max_input_vars
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,461
The path to php.ini you listed seem correct to me. However I only run one PHP version, and also only run php-fpm. So things might be different for you.

After you edited /usr/local/php73/lib/php.ini and /usr/local/php72/lib/php.ini, did you remember to reload both php versions? If not, that could explain why you did not see the changes in your website. If you run php-fpm, then you reload the versions like this:

systemctl reload php-fpm72.service
and
systemctl reload php-fpm73.service
 

WebHostingUK

Verified User
Joined
Dec 10, 2017
Messages
36
The path to php.ini you listed seem correct to me. However I only run one PHP version, and also only run php-fpm. So things might be different for you.

After you edited /usr/local/php73/lib/php.ini and /usr/local/php72/lib/php.ini, did you remember to reload both php versions? If not, that could explain why you did not see the changes in your website. If you run php-fpm, then you reload the versions like this:

systemctl reload php-fpm72.service
and
systemctl reload php-fpm73.service
I've also tried using the commands given, nothings changed.

Just to make it also a bit more complex a client is also running PHP 7.3 and tried to export his database but its failing as its capped his max_input_vars at 1000 whereas in php.ini its set as 10000.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,461
I am not the right person to try to help, because as said I only use one PHP version. However if you have this path: /usr/local/php/lib/php.ini , then try changing that php.ini also, and then do (becase you could be running mod_php also, but I can't guess on your setup):

Code:
systemctl reload httpd.service
 

WebHostingUK

Verified User
Joined
Dec 10, 2017
Messages
36
I am not the right person to try to help, because as said I only use one PHP version. However if you have this path: /usr/local/php/lib/php.ini , then try changing that php.ini also, and then do (becase you could be running mod_php also, but I can't guess on your setup):

Code:
systemctl reload httpd.service
Yes i've also tried that, but no change.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
641
Location
Netherlands Germany
Hiding these is what I would call security by obscurity, and it provide no security at all. It is not worth it. The best thing is just make sure to alway run the latest versions. It is discussed here: https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea - here is one quote I like:



Actually, I would never hide those versions, even if DirectAdmin made it easy to do. Hacker run bots wich blindly scan for vulnerabilities, and don't care if you run a version wich does not have the vulnerabilities or not, they just scan for vulnerabilities blindly, and they are not interested in spending time looking at what versions of software you are actually running.

And for some simple external test / audit for security it makes sense that those tester ( online whatever) could see version to give you advise. ( more presice testers looking on the server itself) depending time / budget
 

WebHostingUK

Verified User
Joined
Dec 10, 2017
Messages
36
Wheres the developers and/or owners surely someone should know how to resolve the issues?
 

WebHostingUK

Verified User
Joined
Dec 10, 2017
Messages
36
If you need support, then open a ticket at https://tickets.directadmin.com
I post in the forum, should anyone else have the same issue.

To update i've used the ./build all which has fixed the issue for all the other domains except the host names domain, im still getting:

This is what the server is responding with:
W3 Total Cache/0.10.1

How to Fix
PHP: Edit the php.ini file and modify the following value
expose_php = Off

I've also got suhosin enabled within custombuild.

**UPDATE - ISSUE RESOLVED**
 
Last edited:
Top