Loose Lips Can Sink Websites Too

When we think about keeping websites safe, we often imagine complex firewalls, multi-layered defenses, and robust encryption. But sometimes, the weak link in your security chain is not that obvious. It can be as simple as a misplaced configuration or an exposed version number. Loose configuration settings can sink websites too. This blog will dive into how exposed version numbers in your tech stack can lead to serious vulnerabilities, and what you can do to tighten security.

During a routine security assessment, we discovered an outdated PHP version being openly advertised by a website’s server configuration. It’s a prime example of what not to do. Using tools like Wappalyzer, a quick glance revealed the PHP version: 8.2.19. On the surface, it might seem like a small oversight, but the repercussions can be severe.

This particular version of PHP has several critical vulnerabilities linked to it. One of the most concerning is CVE-2024-4577, which could potentially allow an attacker to execute arbitrary code remotely. In other words, by simply revealing that it uses this version of PHP, the website might as well have put a “Welcome Hackers” sign on its front door.

For more details on the vulnerabilities associated with this version, see Tenable’s analysis.

Every technology stack — whether it’s a CMS, a server, or a scripting language — has a lifecycle. New versions come out regularly to patch vulnerabilities and improve performance. But when a website exposes the exact versions it’s running, bad actors can easily cross-reference known vulnerabilities for each version and tailor their attacks accordingly. This is known as a cyber supply chain attack — attackers target specific software versions within an organization’s tech stack to compromise its overall security.

So, how do you make sure your website isn’t leaking this crucial information? For starters, review your server configurations and make sure sensitive details aren’t being broadcast to the world. Let’s walk through a quick fix for one of the most common offenders: PHP.

1. Find your php.ini configuration file. This file controls many of PHP’s settings and can often be found at /usr/local/lib/php.ini.
2. Locate the line that reads:
   expose_php = On  
3. Change the setting to:
   expose_php = Off  
4. Restart your HTTP service to apply the changes.

With this small tweak, you’re effectively preventing your server from broadcasting its PHP version. While it’s a simple fix, it can significantly reduce your attack surface.

Obfuscating your version numbers is a great first step, but true security requires a holistic approach. If you’re running a LAMP stack (Linux, Apache, MySQL, and PHP), you need to secure each component to prevent attackers from finding other points of entry. This means tightening configurations, managing permissions, and implementing tools like firewalls and intrusion detection systems.

For example, ensuring that your MySQL installation is locked down can prevent database attacks that might compromise sensitive data. Similarly, setting up proper file permissions and disabling unused modules in Apache can limit the reach of an attacker even if they do find a way in.

Another measure you can take is implementing a firewall like our Web Application Firewall to control traffic to your server, along with Fail2Ban to automatically block IP addresses that show signs of brute-forcing your SSH login.

Securing your LAMP stack isn’t a one-time task. Regular audits using tools like Lynis or MySQL Security Tools can help identify weak points in your configuration and keep your stack resilient against emerging threats. This means running system scans, analyzing logs, and testing your configuration for potential gaps on an ongoing basis.

Protecting your website is about more than just hiding version numbers. While exposed versions are a common vulnerability, they are just one piece of the puzzle. To fully safeguard your LAMP stack, you need to take a comprehensive approach that addresses configuration management, access control, and continuous monitoring.

To dive deeper into securing each part of your LAMP stack—from locking down SSH to tightening MySQL permissions and implementing advanced security rules for Apache—check out the full guide on Securing Your LAMP Stack. It provides step-by-step instructions and advanced techniques to protect your server from the ground up, ensuring a robust and secure foundation for your web applications.