How to hide your Apache and PHP version number
- Posted by Tengku Zahasman on January 15th, 2008 filed in Tutorial, Security, System Administration
- (1,548 Views)
One of the most basic security practice in the web application world is to hide your web server’s software version number. It doesn’t matter if you use Apache 1.3.37 or lighttpd 1.4.10 on a Linux machine or IIS-5.0 on Windows, hiding the version number is crucial if you want to mitigate the risk of your server being attacked by troublemakers.
BEFORE TREATMENT:
AFTER TREATMENT:
Version numbers are the first thing a typical hacker will look for if they want to attack your server. This is because once they know what version your web server is running on, they can easily look for what kind of vulnerabilities are associated with that version, and then simply run the related exploit to hack your server. Attackers can easily know the type and version of your webserver by looking at the HTTP response headers received after they send requests to your application through a Telnet program, or by using Firefox addons/extensions like ServerSpy and Live HTTP Headers in order to see your web server’s version the moment they visit your site.
So hide your Apache and PHP version!
In order to do this, you need to do some sys admin job. I am going to specifically focus on Apache and PHP because I am more of a LAMP (Linux + Apache + MySQL + PHP) user. If you use ASP on Microsoft IIS, I can’t help you much with all these version-hiding thingy (but hey, Google is there to save your day! 
)
So here goes..
Hide Apache version number:
- Open your Apache’s httpd.conf file (in my case, # vi /usr/local/apache/conf/httpd.conf), and look for the line that says: “ServerSignature On“
- Change it to “ServerSignature Off” (this will hide the Apache version normally seen at the bottom of your 404 error pages)
- Then add “ServerTokens Prod” below that line (to hide the version in HTTP response headers)
- Restart your HTTP service (# /etc/init.d/httpd restart)
- Done! No more Apache version numbers
Hide PHP version number:
- Find your php.ini file (in my case, # vi /usr/local/lib/php.ini), and look for the line that says: “expose_php On“
- Change it to: “expose_php Off“
- Restart your HTTP service if necessary
- Done! No more PHP version number in your HTTP response header
Wasn’t that hard now, was it? Just a few tweaks can save you a great deal of security risk, and may save you your business too! Bear in mind that this does not in any way protect from real vulnerabilities that may be associated with your version. Patches or upgrades should still be applied. However, hiding the version numbers will at least make the hackers life harder 
If I've provided some info that you find to be useful, don't hesitate to 
January 15th, 2008 at 6:08 am
Nice tip you got there dude! Can we also do this type of thing for shared hosting as well?
January 15th, 2008 at 2:25 pm
Yes I’m sure you can. Remember that you can override Apache httpd.conf settings in your .htaccess file? Simply place “ServerTokens Prod” in your .htaccess file and you’re good to go. You can also override the server’s global php.ini settings by creating your own php.ini file in your userspace directory. Place the line “expose_php Off” in your php.ini and voila..!
However, I don’t think it helps to do it this way as the attacker can easily telnet to your IP address instead of to your domain name. Therefore, he/she can still identify your server software type and version if it’s not hidden on the global level. I suggest you advice your hosting provider to hide that information leakage
January 16th, 2008 at 2:13 pm
Awesome! I’m not really paranoid about my security level yet but this is a good stuff you’re writing dude.
January 16th, 2008 at 2:45 pm
Just sharing what I know, brudder. Glad to hear you learned something from it