How to Disguise Your Web Server and Scripting Language
Recently I was given the task of building a picture hosting website
for a client. The site was built using Classic ASP because the client wanted
to be able to work on the site after the initial design phase and that is
what the client was familiar with. Now, despite what some people will tell
you a high end web site can still be built using Classic ASP and run just as
well if not better than a site built using ASP.NET. That is not to say that
a site running ASP.NET wouldn't run better than a site using Classic ASP,
but it really all depends on
the techniques used and the programmer. However, that is not the focus of
this article. The reason for this article is to go over two techniques we
used to Disguise the type of Web server being used and the scripting
language the application was written in. We wanted to do this to make it that much more
difficult for a potential hacker to cause a problem.
The 1st step in Disguising the Web Site was at the server level. We went
with a product called
ServerMask gets installed on the server and allows you to
remove identifying details that
intruders could use to detect your OS and Web server vendor. You can also
make it appear as if you are running a Different Web server and OS than you
really are or even randomize what information is reported. This is the 1st
step in protecting your web site because potential crackers usually start by
attacking a server with known exploits. If they do truly not know what you are running
the chances of them being successful are greatly diminished. I won't go into the
details of installing or configuring
ServerMask because it's honestly a piece of cake. As a matter of fact my
grandmother could probably do it.
The 2nd step in Disguising the Web Site is also at the server level and involves your page extensions. If
someone sees ".asp" pages they are going to assume you're running IIS Server.
Granted you could be using Chilisoft or SunOne on a Unix/Linux Server to serve
pages, but the use of those products never really became popular so that is
unlikely. Either way,
we do not want them making educated guesses. In order to really throw
people off we went into IIS and configured ".htm" pages to run as ".asp".
This is done in the Application Configuration area in IIS for your Web Site.
Basically you set up ".htm" as an extension that is processed by the "asp.dll".
You could actually throw off potential crackers by using any page extension.
(".php", ".cgi", ".whatever").
Here is an
article that mentions the process.
All in all these are just additional safeguards that will hopefully help to
keep the site running smoothly. Both of these things are relatively easy to
do if you are running your own Web Server. If you are not you will not be
able to do these things. Also, the site we applied these
techniques to was not mentioned in this article because it would not make
sense to mention it. After all why bother protecting it if you are going to
tell people what you did and the URL of the site. The bottom line is that
these are techniques any security conscience Web Server operator should be
consider looking into.