Disable showing PHP version and Apache version on ubuntu

Servers by default display information via Apache and PHP that makes them vulnerable. With Apache, the version number and installed module versions are listed at the bottom of 404 error pages and on HEAD requests. With PHP, because it runs on our servers as CGI, when it processes php scripts, it adds the “X-Powered By” and displays the version number. In both cases this is not desirable as attackers can use such information to compromise the server.

To fix this take the following actions:

For Apache, open /etc/apache2/httpd.conf in your favorite text editor. Search for ServerTokens and you should find an entry that reads:

ServerTokens Full

Change this to:

ServerTokens Prod

Save the file and restart Apache using the apache init.d script. You may well find “ServerTokens” in /etc/apache2/apache2.conf if httpd.conf is blank.

For PHP, locate the global php.ini. For servers with both php4 and php5, you’ll need to edit the php.ini for each php version. PHP4 is usually located in /etc/php4/cgi/. For php5 it is usually located in /etc/php5/cgi/. You’ll want to open each php.ini in your favorite text editor and search for expose_php. You should find an entry that reads:

expose_php = On

Change this to:

expose_php = Off

Save the file, and restart apache. To confirm your changes, from the command type:

HEAD yourwebsite.com

You should only see the word Apache which does not include the version and there should be no “X-Powered By” php string.