Hide Apache, PHP and Bind Versions



To Check Apache Version:

By default, Apache will send version and modules information like mod_php, mod_perl, mod_ssl in every HTTP header.

If you want to view Apache web server version and sofware of a remote server, follow this procedure.

# telnet example.com 80

Trying example.com...
Connected to example.com.
Escape character is ‘^]'.
HEAD / HTTP/1.0 <- after this press 2 times ENTER


HTTP/1.1 200 OK
Date: Sun, 07 Oct 2012 12:57:57 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 JRun/4.0
Last-Modified: Tue, 03 Jan 2012 11:41:16 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.

In the above example it is showing all the details about your web server and php this is not recommended for security reasons.We need to hide this information with the following procedure.


To Hide Apache Information:


To hide the information, add the following two apache directives in Apache configuration file, (httpd.conf or apache2.conf)

ServerTokens ProductOnly

ServerSignature Off

# /etc/init.d/httpd restart

Now the output for apache header looks like below

Server: Apache


To Hide PHP Version Details

Locate php.ini  loaded in the server.

Change the following option in php.ini

expose_php On

to

expose_php Off

# /etc/init.d/httpd restart


To Hide BIND Version


You can check the Bind version of a server by using the following command.

# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
    "9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.4"

To hide your version of bind, change the version value in named.conf as like the following.
You can give any string for the version.

options {
directory "/var/named";
version "We Just Hide It";
};

# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
   "We Just Hide It"

This entry was posted by Arun Ghosh. Bookmark the permalink.