How to hide your Apache and PHP version number

One of the most basic security practice in the web application world is to hide your web server’s software version number. It doesn’t matter if you use Apache 1.3.37 or lighttpd 1.4.10 on a Linux machine or IIS-5.0 on Windows, hiding the version number is crucial if you want to mitigate the risk of your server being attacked by troublemakers.

BEFORE TREATMENT:

AFTER TREATMENT:

Version numbers are the first thing a typical hacker will look for if they want to attack your server. This is because once they know what version your web server is running on, they can easily look for what kind of vulnerabilities are associated with that version, and then simply run the related exploit to hack your server. Attackers can easily know the type and version of your webserver by looking at the HTTP response headers received after they send requests to your application through a Telnet program, or by using Firefox addons/extensions like ServerSpy and Live HTTP Headers in order to see your web server’s version the moment they visit your site.

So hide your Apache and PHP version!

In order to do this, you need to do some sys admin job. I am going to specifically focus on Apache and PHP because I am more of a LAMP (Linux + Apache + MySQL + PHP) user. If you use ASP on Microsoft IIS, I can’t help you much with all these version-hiding thingy (but hey, Google is there to save your day! Tongue out)

So here goes..

Hide Apache version number:

  • Open your Apache’s httpd.conf file (in my case, # vi /usr/local/apache/conf/httpd.conf), and look for the line that says: “ServerSignature On
  • Change it to “ServerSignature Off” (this will hide the Apache version normally seen at the bottom of your 404 error pages)
  • Then add “ServerTokens Prod” below that line (to hide the version in HTTP response headers)
  • Restart your HTTP service (# /etc/init.d/httpd restart)
  • Done! No more Apache version numbers

Hide PHP version number:

  • Find your php.ini file (in my case, # vi /usr/local/lib/php.ini), and look for the line that says: “expose_php On
  • Change it to: “expose_php Off
  • Restart your HTTP service if necessary
  • Done! No more PHP version number in your HTTP response header

Wasn’t that hard now, was it? Just a few tweaks can save you a great deal of security risk, and may save you your business too! Bear in mind that this does not in any way protect from real vulnerabilities that may be associated with your version. Patches or upgrades should still be applied. However, hiding the version numbers will at least make the hackers life harder Cool

Tags: 
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • BlinkList
  • Ma.gnolia
  • Reddit
  • StumbleUpon


6 Responses to “How to hide your Apache and PHP version number”

  1. Ashrufzz Says:
    January 15th, 2008 at 6:08 am

    Nice tip you got there dude! Can we also do this type of thing for shared hosting as well?

  2. Tengku Zahasman Says:
    January 15th, 2008 at 2:25 pm

    Yes I’m sure you can. Remember that you can override Apache httpd.conf settings in your .htaccess file? Simply place “ServerTokens Prod” in your .htaccess file and you’re good to go. You can also override the server’s global php.ini settings by creating your own php.ini file in your userspace directory. Place the line “expose_php Off” in your php.ini and voila..!

    However, I don’t think it helps to do it this way as the attacker can easily telnet to your IP address instead of to your domain name. Therefore, he/she can still identify your server software type and version if it’s not hidden on the global level. I suggest you advice your hosting provider to hide that information leakage ;)

  3. Ashrufzz Says:
    January 16th, 2008 at 2:13 pm

    Awesome! I’m not really paranoid about my security level yet but this is a good stuff you’re writing dude.

  4. Tengku Zahasman Says:
    January 16th, 2008 at 2:45 pm

    Just sharing what I know, brudder. Glad to hear you learned something from it ;)

  5. rugs Says:
    October 27th, 2008 at 6:00 am

    I seem to remember ther was as long 32/64 string GET request arguement, which exposed the PHP version (or similar info). Im pretty sure about this but cant find any refrences, was it just in PHP4? any clues?

  6. Zip Says:
    December 6th, 2008 at 10:46 am

    That’s all good FOR YOUR SITE, but what can be done if your site is on a shared server and the other users do not all turn off expose_php???

    It’s trivial to discover what web host is being used by looking up the whois and associated DNS servers. An online search of the DNS will usually reveal plenty of sites.

    Also, guess what those web hosts publicly advertise even if all are unexposed?? THEIR SERVER SPECS!!

Leave a Comment