How to hide Apache & PHP version header

Fri, 01/25/2008 - 7:50am — Vinno

Been quite some time now where automated attacks are scanning random servers in search of a new victim, sometimes the automated attacks build up a database first with servers that are using old versions of applications or versions where security holes are present.

One way to do this is by just reading http headers to find out what version of apache or php your server is using. We can hide this, I will show you how if you already do not know.

Remember this is no way going to prevent your server by being compromised at all, we are just hiding what we are using in case of such scans that search for certain application version to target.

Lets get started shall we, you need to know 2 things: where your apache & php configuration are stored?

For ubuntu users who are using apache 2 / php 5:
/etc/php5/apache2/php.ini
/etc/apache2/apache2.conf

For others, you can use the locate / find / whereis command:

locate apache | grep conf

locate php | grep php.ini

Editing your Apache configuration file:
Look for the section regarding Server Tokens, change ServerTokens to Prod.

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod

Below it, you will also see 'ServerSignature', you can turn that off too.

# 
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off

PROTECT YOUR FAMILY GET QUOTE
Cheap Insurance Health Insurance	Best Deal Home Insurance

Editing your PHP configuration file:
Search for the line 'expose_php', change 'On' to 'Off'.

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = Off

Now you just need to restart Apache to take effect.

For Ubuntu users, you can issue:

sudo /etc/init.d/apache2 restart

Server

Comments

Post new comment

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *

Lines and paragraphs break automatically.
Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
You may post PHP code. You should include <?php ?> tags.

More information about formatting options

CAPTCHA

This question is for testing whether you are a human visitor and to prevent automated spam submissions.

  _   _____   ____    _  _   
 / | |___ /  | ___|  | || |  
 | |   |_ \  |___ \  | || |_ 
 | |  ___) |  ___) | |__   _|
 |_| |____/  |____/     |_|

Enter the code above: *

Enter the code depicted in ASCII art style.

Vinno.net Linux has never tasted better.

My Linux Desktop

Linux Server

Linux Desktop

Random Wallpaper