Hide Apache, PHP and Bind Versions

To Check Apache Version:

By default, Apache will send version and modules information like mod_php, mod_perl, mod_ssl in every HTTP header.

If you want to view Apache web server version and sofware of a remote server, follow this procedure.

# telnet example.com 80

Trying example.com...
Connected to example.com.
Escape character is ‘^]'.
HEAD / HTTP/1.0 <- after this press 2 times ENTER

HTTP/1.1 200 OK
Date: Sun, 07 Oct 2012 12:57:57 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ JRun/4.0
Last-Modified: Tue, 03 Jan 2012 11:41:16 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.

In the above example it is showing all the details about your web server and php this is not recommended for security reasons.We need to hide this information with the following procedure.

To Hide Apache Information:

To hide the information, add the following two apache directives in Apache configuration file, (httpd.conf or apache2.conf)

ServerTokens ProductOnly

ServerSignature Off

# /etc/init.d/httpd restart

Now the output for apache header looks like below

Server: Apache

To Hide PHP Version Details

Locate php.ini  loaded in the server.

Change the following option in php.ini

expose_php On


expose_php Off

# /etc/init.d/httpd restart

To Hide BIND Version

You can check the Bind version of a server by using the following command.

# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind

To hide your version of bind, change the version value in named.conf as like the following.
You can give any string for the version.

options {
directory "/var/named";
version "We Just Hide It";

# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
   "We Just Hide It"

This entry was posted by Arun Ghosh. Bookmark the permalink.