Hide the server version

By default on most Linux systems, Apache, MySQL PHP and SSH broadcast their version information to make it easier to detect problems. While it does not actually add security to hide the version ouput (see Security through Obscurity), especially bigger companies might have policies that force you to disable it.

To see the webserver version you can for example use the HEAD command in Linux which will show you the header output.

HEAD -s www.php.net

This produceses an output like

200 OK Connection: close Date: Tue, 07 Aug 2012 11:36:36 GMT Server: Apache/1.3.41 (Unix) PHP/5.2.17 Content-Language: en Content-Type: text/html;charset=utf-8 Last-Modified: Tue, 06 Aug 2012 14:11:09 GMT Client-Date: Tue, 06 Aug 2012 14:11:48 GMT Client-Peer: 69.147.83.197:80 Client-Response-Num: 1 Set-Cookie: COUNTRY=US%2C12.120.172.8; expires=Tue, 13-Aug-2012 14:11:36 GMT; path=/; domain=.php.net X-Powered-By: PHP/5.2.17

www.php.net in this case is running Apache 1.3.41 and PHP 5.2.17.

Disable Apache version output

If you want to hide the Apache version, edit /etc/apache2/apache2.conf (I am using Debian/Ubuntu here) and add these two lines to the end of the file.

ServerTokens Prod ServerSignature Off

The first one will disable the version in the header, the second will prevent that you can see the server information in Apache generated pages like error pages and folder listings. Restart Apache after making these changes.

/etc/init.d/apache2 restart

More information can be found at http://httpd.apache.org/docs/current/mod/core.html#serversignature.

Disable PHP version ouput

To disable the PHP version, edit /etc/php5/apache2/php.ini and disable expose_php.

expose_php = Off
Again, restart Apache to activate the changes.

/etc/init.d/apache2 restart

Can’t hide the SSH version

One way to see the SSH version of a remote host is to use

nc www.php.net 22

A sample output could look like “SSH-1.99-OpenSSH_4.2p1 FreeBSD-20050903”.

You can also find this out using one of these commands:

nmap -sV -T4 -F www.php.net telnet www.php.net 22 ssh -v www.php.net

You cannot really disable the SSH version output unless you compile SSH yourself since the client and server need this information to make a connection (see the FAQ at http://www.openssh.org/faq.html#2.14). What you can do though is to hide the Operating System version that SSH shows by default. For that, edit /etc/ssh/sshd_config and set

DebianBanner no

Then restart SSH

/etc/init.d/ssh restart

On Ubuntu 12.04 this would change the default output “OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)” to “OpenSSH 5.9p1 (protocol 2.0)” for example.

Can’t hide the MySQL version either

MySQL behaves like SSH and announces its version for clients to be able to connect to it. The version will be hidden if your server only accepts connections from localhost. If you allow connections from the outside though, you cannot hide the version and nmap will show something like “MySQL 5.1.63-0ubuntu0.10.04.1-log”. There is a feature request to disable this behavior (http://bugs.mysql.com/bug.php?id=58152) but don’t expect it to be implemented. To make MySQL listen to localhost only, set

bind-address = 127.0.0.1

and restart MySQL

/etc/init.d/mysql restart

How can I find out what other software versions my server displays?

You can scan your server with the nmap tool to find more open ports and versions.

nmap -A -T4 www.yourservername.com

Hide the server version
Share this