5/5 - (2 votes)

Last Updated on January 17, 2023 by Vikash Ekka

How to Hide Apache, Nginx, or PHP version on Ubuntu
How to Hide Apache, Nginx, or PHP version on Ubuntu
For an attacker, it is very easy to discover valuable information such as the web server version, server operating system, and PHP version.

It’s important to note that hiding the version number does not fully protect your server from potential security vulnerabilities, it’s still highly recommended to always keep your software up to date and follow best practices for securing your server.

 
In this tutorial post, we are going to show you how to hide this sensitive information (Hide Apache, Nginx, or PHP version) on the Ubuntu Server Operating system.


Step1. Let’s check Header Details of any Website.

You can use wget or curl command to fetch header details of any website via command line.


curl -IL https://some-server-ip-OR-domain-name/
curl -IL https://vetechno.in/

OR

wget --server-response --spider http://example.com/

When you run the above command you will get the below output. As you can see it clearly visible web server version, php version and other sensitive information.


root@vetechno:~# curl -IL https://vetechno.in

HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.1
Date: Wed, 12 May 2021 07:05:13 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://www.vetechno.in/

HTTP/2 200
date: Wed, 12 May 2021 07:05:15 GMT
content-type: text/html; charset=UTF-8
server: nginx
vary: Accept-Encoding
x-powered-by: PHP/7.2.17
cache-control: must-revalidate, no-cache, private
link: <https://www.vetechno.in/>; rel="shortlink", <https://www.vetechno.in/>; rel="canonical"
link: <https://www.vetechno.in/home>; rel="revision"
link: <//d3tj4hjkds11o5e.cloudfront.net>; rel=preconnect; crossorigin
link: <//d3tj4hjkds11o5e.cloudfront.net>; rel=dns-prefetch
x-ua-compatible: IE=edge
content-language: en
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
expires: Mon, 10 Nov 2010 05:23:00 GMT
x-generator: Drupal 8 (https://www.drupal.org)
x-dns-prefetch-control: on
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-headers: Content-Type,Accept
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE

Step2. Disable / hide Apache Web Server Details.

To hide the version of web server, open your Apache web server configuration file using your favorite editor:

$ sudo vi /etc/apache2/apache2.conf        #Ubuntu/Debian systems
$ sudo vi /etc/httpd/conf/httpd.conf         #CentOS/RHEL systems 

And add the below command. Then save and exit from conf file.


ServerTokens Prod
ServerSignature Off 

Step3. Restart the web server.


$ sudo systemctl restart apache2               #Ubuntu/Debian systems
OR
$ sudo service apache2 restart     
$ service httpd restart                                 #CentOS/RHEL systems 

Step4. Hide PHP Version

By default in the PHP configuration allows the HTTP response header ‘X-Powered-By’ to display/show the PHP version on the Server.

Find below php.ini configuration file

* Ubuntu/Debian/Linuxmint – /etc/php/7.4/cli/php.ini

* CentOS/Fedora/Redhat – /etc/php.ini

Before you making any changes to php.ini configuration file, I suggest you to first make a backup of your php.ini config file


---------------- On Debian/Ubuntu  veTechno---------------- 
$ sudo cp /etc/php/7.4/cli/php.ini  /etc/php/7.4/cli/php.ini.bkp 

---------------- On CentOS/RHEL/Fedora veTechno ---------------- 
$ sudo cp /etc/php.ini /etc/php.ini.bkp

Step5. Now open the file with your favorite text editor with super user privileges.


$ sudo vi /etc/php/7.4/cli/php.ini              #Ubuntu/Debian Systems
$ sudo vi /etc/php.ini                                #CentOS/RHEL Systems

Search the keyword expose_php and set its value to Off:


expose_php = off

Step6. Save the file and exit. Then restart the Apache web server as given below.


$ sudo systemctl restart apache2            #Ubuntu/Debian Systems
$ sudo systemctl restart httpd                 #CentOS/RHEL Systems

Step7. Verify the Settings

Now verify the necessary changes in your server and compare the output with earlier results by following commands. 


curl -IL https://some-server-ip-OR-domain-name/
curl -IL https://vetechno.in/

OR

wget --server-response --spider http://example.com/

 
Find the below final results.


root@vetechno:~# curl -IL https://vetechno.in

HTTP/1.1 200 OK
Date: Wed, 12 May 2021 11:21:45 GMT
Server: Apache
Last-Modified: Thu, 26 Jan 2019 11:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8

Conclusion

Congratulation you have successfully  Hide Apache, Nginx, or PHP version on Ubuntu/CentOS.

it is recommended that you disable or hide this information from attackers who might be targeting your server by requiring you to know whether you are running PHP or not, Apache or Nginx.

Please let me know in the comment box you are facing any issue while configuring the settings.

By Vikash Ekka

Hi All, My name is Vikash Ekka from India. I’m the founder and tech editor of https://www.vetechno.in. I have completed my Graduation in BCA. I love to write technical articles like Windows, Linux & MAC Tutorials, Tips, Tricks, How To fix, Tutorials About Ethical Hacking & Cyber Security Guide, and Software Review. Currently, I have been working as an IT professional since 2018.

2 thoughts on “How to Hide Apache, Nginx, or PHP version on Ubuntu”

Leave a Reply

Your email address will not be published. Required fields are marked *