How to Hide Apache, Nginx, or PHP version on Ubuntu

How to Hide Apache, Nginx, or PHP version on Ubuntu
How to Hide Apache, Nginx, or PHP version on Ubuntu

For an attacker, it is very easy to discover valuable information such as the web server version, server operating system, and PHP version.

it is recommended that you disable or hide this information from attackers who might be targeting your server by requiring you to know whether you are running PHP or not, Apache or Nginx.


In this tutorial post, we are going to show you how to hide this sensitive information (Hide Apache, Nginx, or PHP version) on the Ubuntu Server Operating system.


Step1. Let’s check Header Details of any Website.

You can use wget or curl command to fetch header details of any website via command line.


curl -IL https://some-server-ip-OR-domain-name/
curl -IL https://vetechno.in/

OR

wget --server-response --spider http://example.com/

When you run the above command you will get the below output. As you can see it clearly visible web server version, php version and other sensitive information.


root@vetechno:~#
curl -IL https://vetechno.in

HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.1
Date: Wed, 12 May 2021 07:05:13 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://www.vetechno.in/

HTTP/2 200
date: Wed, 12 May 2021 07:05:15 GMT
content-type: text/html; charset=UTF-8
server: nginx
vary: Accept-Encoding
x-powered-by: PHP/7.2.17
cache-control: must-revalidate, no-cache, private
link: <https://www.vetechno.in/>; rel="shortlink", <https://www.vetechno.in/>; rel="canonical"
link: <https://www.vetechno.in/home>; rel="revision"
link: <//d3tj4hjkds11o5e.cloudfront.net>; rel=preconnect; crossorigin
link: <//d3tj
4hjkds11o5e.cloudfront.net>; rel=dns-prefetch
x-ua-compatible: IE=edge
content-language: en
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
expires: Mon, 10 Nov 2010 05:23:00 GMT
x-generator: Drupal 8 (https://www.drupal.org)
x-dns-prefetch-control: on
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-headers: Content-Type,Accept
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE

Step2. Disable / hide Apache Web Server Details.

To hide the version of web server, open your Apache web server configuration file using your favorite editor:

$ sudo vi /etc/apache2/apache2.conf #Ubuntu/
Debian systems
$ sudo vi /etc/httpd/conf/httpd.conf #CentOS/
RHEL systems

And add the below command. Then save and exit from conf file.


ServerTokens Prod
ServerSignature Off

Step3. Restart the web server.


$ sudo systemctl restart apache2
#Ubuntu/Debian systems
OR
$ sudo service apache2 restart
$ service httpd restart
#CentOS/RHEL systems

Step4. Hide PHP Version

By default in the PHP configuration allows the HTTP response header ‘X-Powered-By’ to display/show the PHP version on the Server.

Find below php.ini configuration file

* Ubuntu/Debian/Linuxmint – /etc/php/7.4/cli/php.ini

* CentOS/Fedora/Redhat – /etc/php.ini

Before you making any changes to php.ini configuration file, I suggest you to first make a backup of your php.ini config file


---------------- On Debian/Ubuntu veTechno----------------
$ sudo cp /etc/php/7.4/cli/php.ini /etc/php/7.4/cli/php.ini.bkp

---------------- On CentOS/RHEL/Fedora veTechno ----------------
$ sudo cp /etc/php.ini /etc/php.ini.bkp

Step5. Now open the file with your favorite text editor with super user privileges.


$ sudo vi /etc/php/7.4/cli/php.ini
#Ubuntu/Debian Systems
$ sudo vi /etc/php.ini
#CentOS/RHEL Systems

Search the keyword expose_php and set its value to Off:


expose_php = off

Step6. Save the file and exit. Then restart the Apache web server as given below.


$ sudo systemctl restart apache2
#Ubuntu/Debian Systems
$ sudo systemctl restart httpd #CentOS/RHEL Systems

Step7. Verify the Settings

Now verify the necessary changes in your server and compare the output with earlier results by following commands. 


curl -IL https://some-server-ip-OR-domain-name/
curl -IL https://vetechno.in/

OR

wget --server-response --spider http://example.com/

 
Find the below final results.


root@vetechno:~#
curl -IL https://vetechno.in

HTTP/1.1 200 OK
Date: Wed, 12 May 2021 11:21:45 GMT
Server: Apache
Last-Modified: Thu, 26 Jan 2019 11:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8

Conclusion

Congratulation you have successfully  Hide Apache, Nginx, or PHP version on Ubuntu/CentOS. Please let me know in the comment box you are facing any issue while configuring the settings.

Leave a Reply

Your email address will not be published.