隐藏网络服务的版本信息 / 秋梦无痕

隐藏网络服务的版本信息

from: http://salogs.com/2011/03/hide-network-services-version-information/

只要暴露在互联网上的服务器都有可能成为被攻击的目标。通常，标记服务的名称以及版本成为了他们最想要知道的信息，因此隐藏或者修改服务的版本信息可以有效的防止一部分恶意的攻击行为。

下面介绍各个常见的网络服务修改方法：

一、bind服务

# nslookup -q=txt -class=CHAOS version.bind. localhost
Server: localhost
Address: 127.0.0.1#53
version.bind text = "9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3"

这里可以清楚的看到DNS使用的版本

隐藏bind版本信息
修改/etc/named.conf ，在named.conf文件里添加

options {
directory "/var/named";
version "[ Hello World ]";
};

然后reload named服务，再查看

# nslookup -q=txt -class=CHAOS version.bind. localhost
Server: localhost
Address: 127.0.0.1#53
version.bind text = "[ hello world ! ]"

二、apache服务

# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
##当服务器响应主机头（header）信息时禁止显示Apache的版本和操作系统名称
ServerTokens Prod
##关闭apache自己产生的页面中使用apache服务器版本的签名
ServerSignature Off

三、php

; 决定 PHP 是否标示它装在服务器上的事实（例如：加在它 —PHP—给Web服务
; 发送的信号上）.
; （我个人的意见，在出现什么power-by的header的时候，把这关掉.）
; 它不会有安全上的威胁, 但它使检查你的服务器上是否安装了PHP成为了可能
expose_php = Off

四、squid
修改配置文件

via off
以下header_access放在acl后面.
header_access X-Cache deny all
header_access X-Squid-Error deny all
Squid反向代理安全设置
在你的squid.conf中加入
header_access Via deny all
header_access Server deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all

要去掉其他的header,也可以照此操作，下面是header列表：
Accept HTTP_ACCEPT
Accept-Charset HTTP_ACCEPT-CHARSET
Accept-Encoding HTTP_ACCEPT-ENCODING
Accept-Language HTTP_ACCEPT-LANGUAGE
Accept-Ranges HTTP_ACCEPT-RANGES
Age HTTP_AGE
Allow HTTP_ALLOW
Authorization HTTP_AUTHORIZATION
Cache-Control HTTP_CACHE-CONTROL
Connection HTTP_CONNECTION
Content-Base HTTP_CONTENT-BASE
Content-Disposition HTTP_CONTENT-DISPOSITION
Content-Encoding HTTP_CONTENT-ENCODING
Content-Language HTTP_CONTENT-LANGUAGE
Content-Length HTTP_CONTENT-LENGTH
Content-Location HTTP_CONTENT-LOCATION
Content-MD5 HTTP_CONTENT-MD5
Content-Range HTTP_CONTENT-RANGE
Content-Type HTTP_CONTENT-TYPE
Cookie HTTP_COOKIE
Date HTTP_DATE
ETag HTTP_ETAG
Expires HTTP_EXPIRES
From HTTP_FROM
Host HTTP_HOST
If-Match HTTP_IF-MATCH
If-Modified-Since HTTP_IF-MODIFIED-SINCE
If-None-Match HTTP_IF-NONE-MATCH
If-Range HTTP_IF-RANGE
Last-Modified HTTP_LAST-MODIFIED
Link HTTP_LINK
Location HTTP_LOCATION
Max-Forwards HTTP_MAX-FORWARDS
Mime-Version HTTP_MIME-VERSION
Pragma HTTP_PRAGMA
Proxy-Authenticate HTTP_PROXY-AUTHENTICATE
Proxy-Authentication-Info HTTP_PROXY-AUTHENTICATION-INFO
Proxy-Authorization HTTP_PROXY-AUTHORIZATION
Proxy-Connection HTTP_PROXY-CONNECTION
Public HTTP_PUBLIC
Range HTTP_RANGE
Referer HTTP_REFERER
Request-Range HTTP_REQUEST-RANGE
Retry-After HTTP_RETRY-AFTER
Server HTTP_SERVER
Set-Cookie HTTP_SET-COOKIE
Title HTTP_TITLE
Transfer-Encoding HTTP_TRANSFER-ENCODING
Upgrade HTTP_UPGRADE
User-Agent HTTP_USER-AGENT
Vary HTTP_VARY
Via HTTP_VIA
Warning HTTP_WARNING
WWW-Authenticate HTTP_WWW-AUTHENTICATE
Authentication-Info HTTP_AUTHENTICATION-INFO
X-Cache HTTP_X-CACHE
X-Cache-Lookup HTTP_X-CACHE-LOOKUP
X-Forwarded-For HTTP_X-FORWARDED-FOR
X-Request-URI HTTP_X-REQUEST-URI
X-Squid-Error HTTP_X-SQUID-ERROR
Negotiate HTTP_NEGOTIATE
X-Accelerator-Vary HTTP_X-ACCELERATOR-VARY
Other: HTTP_OTHER

squid3.0有点变样，利用reply_header_access指令来控制。
Squid 3.0配置如下:

reply_header_access Server deny all
reply_header_access X-Cache deny all
reply_header_access Warning deny all
reply_header_access Expires deny all
reply_header_access Cache-Control deny all
reply_header_access age deny all