Apache port

lahirushanaka · 08-08-2014, 09:28 PM

Hi,

Is it possible to run apache only with https (443) and block port 80, then it is only work with https, can we configure Vhost only with https ? if it is possible, how can i do it ? is that okay to block port 80 from firewall, then hackers cant scan http headers.

realy i dont have adia of this can some one help me to resolve this

acid_kewpie · 08-09-2014, 02:33 AM

Absolutely, you would simply remove any "Listen" directives in your httpd.conf (or included file) which references that port number.

lahirushanaka · 08-09-2014, 03:03 AM

Thanks friend for infor, I will try this, one of our security staff scan our live server and send me a report with all the allow ports, services and version of the services, they are taking that infor reading by http header. so if i block that port they will not be able to read http header, Am I correct ?

acid_kewpie · 08-09-2014, 05:03 AM

No, if they establish an HTTPS session the same information would be given to them, just over a secure connection. Really depends what they actually foudn as to how to deal with it.

zer0python · 08-09-2014, 05:58 AM

Quote:

Thanks friend for infor, I will try this, one of our security staff scan our live server and send me a report with all the allow ports, services and version of the services, they are taking that infor reading by http header. so if i block that port they will not be able to read http header, Am I correct ?

Having worked briefly in the security field before, one of the things you may be looking for, is the ServerName directive.
Take a look at http://www.nsa.gov/ia/_files/os/redh...guide-i731.pdf Section 3.16.3 on some things they may be scanning to check.

Also, here's some commands you can use to check your HTTP server.

Check headers over normal HTTP.

Quote:

~[sodapipe]$ echo -e "HEAD / HTTP/1.0\n" | nc google.com 80
HTTP/1.0 200 OK
Date: Sat, 09 Aug 2014 10:53:34 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=3748450eed14ffa7:FF=0:TM=1407581614:LM=1407581614:S=SIZQN1zZPkLb3MQ0; expires=Mon, 08-Aug-2016 10:53:34 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=QEG71pNBaJJseXj6oNEorg-JyfJHGdyKy5AZgor23RI77Q1iI9DPw8UVxRJ0O--VLdhdqHeCs7A6HXIR0NW8BGfml8neQOJs_Zpzfm7H7PiUYuNuiLV91G_3_Pc97Bcx; expires=Sun, 08-Feb-2015 10:53:34 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accoun...&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic

Check headers over SSL

Quote:

~[sodapipe]$ openssl s_client -connect google.com:443
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Sat, 09 Aug 2014 10:57:14 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=d2086ac119d0d435:FF=0:TM=1407581834:LM=1407581834:S=3mkNHWG9heO1ad-C; expires=Mon, 08-Aug-2016 10:57:14 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=KJ0nAv8yhNsuZo_7-w6AsBppSS4zGr_OUNSYHTRlcyn9pWRdx9oivJ1s00D5fiH07UlJSs0_aA5GxoF52QLO5ImeMTnz8U4bGwRk_vPAXJH48Srw5iL-58RxzP4EsNym; expires=Sun, 08-Feb-2015 10:57:14 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accoun...&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 443:quic

read:errno=0