Attacker will always try to find out your PHP and Apache version using simple method. Most bugs are version specific. You can hide Apache and PHP information easily. But first let us see how much information is displayed by your installation:
Try out following php urls (replace your-domain-name.com with your actual domain) and you will know how much information you are giving out to attacker.
Get your Apache server information using telnet
telnet domain.com 80
When connected type HEAD / HTTP/1.0, followed by [Enter] key.
Trying 206.xxx.xxx.xxx... Connected to your-domain-name.com. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.0 200 OK Date: Wed, 20 Dec 2006 11:30:42 GMT Server: Apache/2.0.52 (Red Hat) Accept-Ranges: bytes Content-Length: 3985 Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
It is providing Apache version and distribution name.
How do I Hide Apache Version info?
Open httpd.conf file (located in /etc/httpd/ directory /etc/apache2/ )
Set Apache ServerTokens to product only but don’t show version and other info:
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.
Setting this to Prod only displays Apache and nothing else.
Set Apache ServerSignature off
The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents.
How do I hide php info?
Open php.ini (located in /etc/php.ini or /etc/php5 or /etc/php4 directory)
Make sure php does not display errors and other php information. Modify add setting as follows:
expose_php = Off display_errors=Off register_globals = Off
Also send all errors to /var/log/php-scripts-error.log and not on screen to end user. It can provide serious information to user.
error_log = /var/log/httpd/php-scripts-error.log
Now all php script errors are written to /var/log/httpd/php-scripts-error.log. Ask your website developers to use following commands to view log files
tail -f /var/log/httpd/php-scripts-error.log vi /var/log/httpd/php-scripts-error.log.
For more info please read Apache 2 docs http://httpd.apache.org/docs/2.2/mod/core.html