Hide Apache and PHP Version on Ubuntu/Centos/RHEL CWP and Vesta CP

In this article we’ll implement some configs to Apache and php in order to hide there version. It is useful if you don’t want to expose the versions to public. Also hackers use to check the versions in order to gain access to your server or script by running vulnerability scan which is present in the specific version of Apache or php, hiding the versions will confuse them and increase the overhead.

Lets get Started

Hiding Apache version in Centos/RHEL 6/7, Ubuntu and Vestacp, CWP :

First check the http headers via this command and check the version of Apache and php if exposed :

curl -I 173.82.255.112
or
curl -I domain-name.com

the output will look like this :

[root@mysterdata-com ~]# curl -I 173.82.255.112
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 10:54:45 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.2.7
Last-Modified: Thu, 16 Jan 2018 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8

you can read more about ServerTokens and ServerSignature via official links :

ServerTokens
https://httpd.apache.org/docs/2.4/mod/core.html#servertokens

ServerSignature
https://httpd.apache.org/docs/2.4/mod/core.html#serversignature

if you found the apache and php versions are exposed and want to hide it? step to the next procedure to hide it :

Centos/RHEL 6/7 Vestacp apache:

Edit Apache config :

nano /etc/httpd/conf/httpd.conf

Add this lines to end of the config file :

ServerTokens Prod
ServerSignature Off

Then restart Apache server :

service httpd restart

CWP – Centos Web Panel :

Edit Apache config :

nano /usr/local/apache/conf/httpd.conf

Add this lines to end of the config file :

ServerTokens Prod
ServerSignature Off

Then restart Apache server :

service httpd restart

Ubuntu :

Edit Apache config :

nano /etc/apache2/conf-enabled/security.conf

Add this lines to end of the config file :

ServerTokens Prod
ServerSignature Off

Then restart Apache server :

service apache2 restart

Hiding php Version

Now we’ll hide the php version :

Centos/RHEL 6/7 Vestacp PHP:

Edit php.ini config :

nano /etc/php.ini

Add this line at the end of the php.ini :

expose_php = Off

CWP – Centos Web Panel :

Edit php.ini config :

nano /usr/local/php/php.ini

Add this line at the end of the php.ini :

expose_php = Off

Ubuntu :

Edit php.ini config :

For Ubuntu the default location is :

/etc/php/7.2/apache2/php.ini

replace 7.2 with the desired php version you’re using i.e. 5.6, 7.0, 7.1

Now Add this line at the end of the php.ini :

expose_php = Off

At the end restart apache/php-fpm :

service php-fpm restart # Ubuntu/centos/RHEL
service apache2 restart # ubuntu
service httpd restart # Centos/RHEL

Now again check the http header :

curl -I 173.82.255.112
or
curl -I domain-name.com

you can see versions are now hidden/removed :

[root@mysterdata-com ~]# curl -I 173.82.255.112
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 11:21:45 GMT
Server: Apache
Last-Modified: Thu, 16 Jan 2018 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
Back to top button