By default on most Linux systems, Apache, MySQL PHP and SSH broadcast their version information to make it easier to detect problems. While it does not actually add security to hide the version ouput (see Security through Obscurity), especially bigger companies might have policies that force you to disable it.
To see the webserver version you can for example use the HEAD command in Linux which will show you the header output.
HEAD -s www.php.net
This produceses an output like
200 OK Connection: close Date: Tue, 07 Aug 2012 11:36:36 GMT Server: Apache/1.3.41 (Unix) PHP/5.2.17 Content-Language: en Content-Type: text/html;charset=utf-8 Last-Modified: Tue, 06 Aug 2012 14:11:09 GMT Client-Date: Tue, 06 Aug 2012 14:11:48 GMT Client-Peer: 188.8.131.52:80 Client-Response-Num: 1 Set-Cookie: COUNTRY=US%2C184.108.40.206; expires=Tue, 13-Aug-2012 14:11:36 GMT; path=/; domain=.php.net X-Powered-By: PHP/5.2.17
www.php.net in this case is running Apache 1.3.41 and PHP 5.2.17.
Disable Apache version output
If you want to hide the Apache version, edit /etc/apache2/apache2.conf (I am using Debian/Ubuntu here) and add these two lines to the end of the file.
ServerTokens Prod ServerSignature Off
The first one will disable the version in the header, the second will prevent that you can see the server information in Apache generated pages like error pages and folder listings. Restart Apache after making these changes.
More information can be found at http://httpd.apache.org/docs/current/mod/core.html#serversignature.
Disable PHP version ouput
To disable the PHP version, edit /etc/php5/apache2/php.ini and disable expose_php.
Can’t hide the SSH version
One way to see the SSH version of a remote host is to use
nc www.php.net 22
A sample output could look like “SSH-1.99-OpenSSH_4.2p1 FreeBSD-20050903”.
You can also find this out using one of these commands:
nmap -sV -T4 -F www.php.net telnet www.php.net 22 ssh -v www.php.net
You cannot really disable the SSH version output unless you compile SSH yourself since the client and server need this information to make a connection (see the FAQ at http://www.openssh.org/faq.html#2.14). What you can do though is to hide the Operating System version that SSH shows by default. For that, edit /etc/ssh/sshd_config and set
Then restart SSH
On Ubuntu 12.04 this would change the default output “OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)” to “OpenSSH 5.9p1 (protocol 2.0)” for example.
Can’t hide the MySQL version either
MySQL behaves like SSH and announces its version for clients to be able to connect to it. The version will be hidden if your server only accepts connections from localhost. If you allow connections from the outside though, you cannot hide the version and nmap will show something like “MySQL 5.1.63-0ubuntu0.10.04.1-log”. There is a feature request to disable this behavior (http://bugs.mysql.com/bug.php?id=58152) but don’t expect it to be implemented. To make MySQL listen to localhost only, set
bind-address = 127.0.0.1
and restart MySQL
How can I find out what other software versions my server displays?
You can scan your server with the nmap tool to find more open ports and versions.
nmap -A -T4 www.yourservername.com