TIPS & TRICKS BLOG

What is .htaccess file . htaccess files provide a way to make configuration on a per-directory basis. In the .htaccess file, we provide directives to apply a configuration. When to use .htaccess Generally, this file should be used when you have no access to your server configuration file (httpd.conf). The best example would be shared hosting providers where you don’t get root access to make changes in httpd.conf file. In such scenarios .htaccess plays a very important role. In shared hosting, we make .htaccess files to secure our websites. We create this file on each directory to secure it from hackers or attackers. When to avoid .htaccess file We should not use this if we have access to our main configuration file. There are two main reasons to avoid the use of .htaccess file. The first of these is performance . When  AllowOverride  is set to allow the use of  .htaccess  files, httpd will look in every directory for  .htaccess  files. Thus, permitting  .htaccess  files cause a perfo

The PHP Configuration by default shows the PHP version in HTTP server header X-Powered-By to display the version installed on the server. But for security reasons, it is generally recommended to hide the version info from attackers or hackers. Sometimes versions has some vulnerabilities which help the attackers to find loop holes and gain access to your system. If the attacker knows the PHP version then it would be easier for them to exploit and find security holes. Therefore in this article “ Server Security – Hide PHP Version ” I will be explaining how to hide PHP Version from the response header. Suggested Read: Secure Apache Web Server To hide the version we need to open php.ini file in the file editor. expose_php = On expose_php = Off You may find php.ini on the following locations Debian/Ubuntu – /etc/php/7.0/cli/php.ini CentOS – /etc/php.ini Now locate expose_php and sets its value to Off expose_php = off Save the file and exit. Afterwards restart the server $ sudo servi

Directory Listing Directory Listing is by default enabled in an apache server. This happens when there is no index.html file (default) available in the directory. If there is no index file available in the directory then doesn’t understand which file to display so it displays all the files and folders in the directory. Please see the below screenshot The above image index file is the default file that is under the website folder. So when I will access my localhost with the following address – localhost/website1 or 192.168.1.2/website 1 then it shows the following page. It is actually showing the website because Apache knows exactly which file to display i.e. index.html But in case I have renamed the index.html file to index1.html then let’s see what happens. So this time when I access my website1 folder again then it will show all the files and folders inside the website1 folder. Files & Folders List Prevention In order to prevent this, you need to disable directory listing in h

Whenever any request is made from client to server then it sends some headers from server to client or vice versa. So when we receive server response we get some headers that give some extra information about the server. This information or headers sometimes becomes vulnerable for hackers to break your server and get into it. In order to stop unauthorized access we secure our server. So in this article “Server Security – Apache Web Server Hardening” I will secure the apache server by removing the server details from response headers. This comes under the Banner Grabbing Attack . In the Banner Grabbing method, Hacker tries to identify the target system OS or server name and version to penetrate into the system. To understand this look at the image below. Server Details If you will look at the image you will find out, In server response headers we are actually getting the lots of details . We are getting the following items: 1. Server Name and Version (Apache & 2.4.43) 2. OS Na