One of the most basic security practices in the web application world is to hide your web server’s software version number.
It doesn’t matter if you use Apache 2.x.xx or lighthtpd 1.x.xx on a Linux machine or IIS-x.x on Windows, hiding the version number is important if you want to mitigate the risk of your server being attacked by troublemakers.
Showing your version numbers is asking to be hacked…. It happens on Joomla - Drupal - WordPress and like in any script it happens on your servers scripts like Apache or PHP or MySQL scripts. So when someone knows what version number your web server is running on, it’s an easy thing for an average hacker to find what kind of vulnerabilities are associated with that version, and then run the related exploit to hack your server or website.
Attackers can easily find out the type and version of your web server by looking at the HTTP response headers received after they send requests (typical visit) to your application, or even worse, through a Telnet program, or by using Firefox addons/extensions like ServerSpy and Live HTTP Headers in order to see your web server’s version.
Hide Apache version number:
- Open your Apache’s httpd.conf file (in this case, # nano /usr/local/apache/conf/httpd.conf), and look for the line that says: “ServerSignature On“
- Change it to “ServerSignature Off” (this will hide the Apache version normally seen at the bottom of your 404 error pages)
- Then add “ServerTokens Prod” below that line (to hide the version in HTTP response headers)
- Restart your HTTP service (# /etc/init.d/httpd restart)
- Done! No more Apache version numbers
Hide PHP version number:
- Find your php.ini file (in this case, # nano /usr/local/lib/php.ini), and look for the line that says: “expose_php = On“
- Change it to: “expose_php = Off“
- Restart your HTTP service if necessary
- Done! No more PHP version number in your HTTP response header
That’s all