Hide Apache and PHP Version on Ubuntu/Centos/RHEL CWP and Vesta CP
In this article we’ll implement some configs to Apache and php in order to hide there version. It is useful if you don’t want to expose the versions to public. Also hackers use to check the versions in order to gain access to your server or script by running vulnerability scan which is present in the specific version of Apache or php, hiding the versions will confuse them and increase the overhead.
Lets get Started
Hiding Apache version in Centos/RHEL 6/7, Ubuntu and Vestacp, CWP :
First check the http headers via this command and check the version of Apache and php if exposed :
curl -I 173.82.255.112 or curl -I domain-name.com
the output will look like this :
[root@mysterdata-com ~]# curl -I 173.82.255.112
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 10:54:45 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.2.7
Last-Modified: Thu, 16 Jan 2018 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
you can read more about ServerTokens and ServerSignature via official links :
ServerTokens
https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
ServerSignature
https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
if you found the apache and php versions are exposed and want to hide it? step to the next procedure to hide it :
Centos/RHEL 6/7 Vestacp apache:
Edit Apache config :
nano /etc/httpd/conf/httpd.conf
Add this lines to end of the config file :
ServerTokens Prod ServerSignature Off
Then restart Apache server :
service httpd restart
CWP – Centos Web Panel :
Edit Apache config :
nano /usr/local/apache/conf/httpd.conf
Add this lines to end of the config file :
ServerTokens Prod ServerSignature Off
Then restart Apache server :
service httpd restart
Ubuntu :
Edit Apache config :
nano /etc/apache2/conf-enabled/security.conf
Add this lines to end of the config file :
ServerTokens Prod ServerSignature Off
Then restart Apache server :
service apache2 restart
Hiding php Version
Now we’ll hide the php version :
Centos/RHEL 6/7 Vestacp PHP:
Edit php.ini config :
nano /etc/php.ini
Add this line at the end of the php.ini :
expose_php = Off
CWP – Centos Web Panel :
Edit php.ini config :
nano /usr/local/php/php.ini
Add this line at the end of the php.ini :
expose_php = Off
Ubuntu :
Edit php.ini config :
For Ubuntu the default location is :
/etc/php/7.2/apache2/php.ini
replace 7.2 with the desired php version you’re using i.e. 5.6, 7.0, 7.1
Now Add this line at the end of the php.ini :
expose_php = Off
At the end restart apache/php-fpm :
service php-fpm restart # Ubuntu/centos/RHEL service apache2 restart # ubuntu service httpd restart # Centos/RHEL
Now again check the http header :
curl -I 173.82.255.112 or curl -I domain-name.com
you can see versions are now hidden/removed :
[root@mysterdata-com ~]# curl -I 173.82.255.112
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 11:21:45 GMT
Server: Apache
Last-Modified: Thu, 16 Jan 2018 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8