Hide Apache and PHP Version and Signatures in Ubuntu Linux

Apache Security

By default, your Apache web server (and PHP if it is installed) will indicate to clients the exact version of the Apache software which is running. This version information can be seen in the HTTP response header.

At times, such behaviour is undesirable as some administrators think that this will make their server more vulnerable to attacks since an attacker will immediately know what software versions are running and may then easily gather any available exploits. The simple fact is, even if your server software is masked, and attacker can try to determine the versions using other means, or they can just try to attack it using all the exploits they have.

Regardless of whatever your intention is, turning off these signatures will add an additional level of complexity (albeit minimal) to a potential attacker.

The tutorial below explains.

How to disable Apache signature

Open the relevant apache2.conf config file:

nano /etc/apache2/apache2.conf

At the end of the file, or at some other sensible location, add the following lines:

ServerTokens Prod
ServerSignature off

Restart your server for the new changes to take effect:

/etc/init.d/apache2 restart

How to disable PHP signature

Open the relevant php.ini config file:

nano /etc/php5/apache2/php.ini

Find the line that says:

expose_php = On

And change it to:

expose_php = Off

Finally restart your server again for the new changes to take effect:

/etc/init.d/apache2 restart

Now your server is a little bit more secure from attackers since it will only indicate that it is an Apache server with no clues as to the version number of the modules which are installed.

Note: Disabling the “Server: Apache” line in the HTTP response header altogether cannot be readily done using configurations (if at all), and will usually have to be done by recompiling the web server binaries. If you are running such a critical application that warrants such extreme measures, this task is left up to you. The bottom line is that if your software is kept up to date, it shouldn’t matter if an attacker knows what type of web server you are running.