security through obscurity

I've got some security through obscurity questions - not directly related to
PHP programming per se, but indirectly related, as most php programmers are
also server admins of their servers.
I want to restrict what my box reports back to the likes of scanners like
Nmap & Nessus.

I know how to get PHP to not report its version number, and the same with
Apache.

My question is

a) how to I prevent MySQL from reporting its version number?

b) My Apache now reports itself as just "Apache" - can I fake that, and just
get it to report as ,say, "MyWebServer"

c) Is it possible to get MySQL to report back as say "Oracle"?

d) What about PHP - can I fake the reporting of it to say "Tomcat version 2"
or something?

kaptain kernel <nospam@nospam.gov> writes:

> I've got some security through obscurity questions - not directly related to
> PHP programming per se, but indirectly related, as most php programmers are
> also server admins of their servers.
> I want to restrict what my box reports back to the likes of scanners like
> Nmap & Nessus.

The use of security through obscurity is an old debate. I could
argue both sides, but I'll simply suggest that you do some research
to make sure you understand what obscurity provides and what it
doesn't provide.

> I know how to get PHP to not report its version number, and the same with
> Apache.
>
> My question is
>
> a) how to I prevent MySQL from reporting its version number?

You'll probably have to hack the source. But do you really need
to do this? You should have a firewall allowing only authorized
sources to connect to your MySQL server, and legitimate users might
need to know what version you're running (so they can look up what
features it supports, what known limitations or bugs it might have,
etc.).

I don't know about earlier versions of MySQL, but with 4.0.16 even
hosts that can make a TCP connection to the MySQL server won't see
a version number unless they're authorized to connect by the MySQL
authorization system:

Connection from an authorized host:

% telnet db.example.com 3306
Trying 10.1.2.3...
Connected to db.example.com.
Escape character is '^]'.
+
4.0.16-log...

Connect from an unauthorized host:

% telnet db.example.com 3306
Trying 10.1.2.3...
Connected to db.example.com.
Escape character is '^]'.
GHost 'unauthorized.example.com' is not allowed to connect to this MySQL server
Connection closed by foreign host.

> b) My Apache now reports itself as just "Apache" - can I fake that, and just
> get it to report as ,say, "MyWebServer"
>
> c) Is it possible to get MySQL to report back as say "Oracle"?

You should be able to change the "Host...is not allowed to connect
to this MySQL server" message by editing the appropriate language's
errmsg.txt file and regenerating errmsg.sys; see the MySQL manual
for more information. If you're that insistent on obscurity, then
make sure you configure MySQL to listen on a port other than the
default (3306).

To remove all possible references to MySQL you might have to hack
the source, but make sure you don't break anything in the client-server
protocol. As I asked above, do you really need to do this, since
only authorized users should have access to this information anyway?

> d) What about PHP - can I fake the reporting of it to say "Tomcat version 2"
> or something?

You said you already knew how to tell PHP not to expose iself and
how to make Apache say it's something else, so you could just put
"Tomcat" in Apache's lie. Where else would you want to "fake the
reporting"?

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/