How to Hide Version Numbers of Nginx and PHP on a LEMP Server

September 30, 2019


If you are running one or more websites based on the LEMP stack, a practical security measure is to hide the version numbers of Nginx and PHP. This would prevent hackers from using version-specific security breaches to attack your servers.

Let’s have a look at how to implement this measure on a Vultr WordPress server instance which is based on the LEMP stack. All of the instructions in this article should apply to other LEMP-based Vultr apps as well.

Determine current visibility of version numbers

curl -I [your-server-IP]:80

Then you will see the result, which resembles:

HTTP/1.1 200 OKServer: nginx/1.10.0Date: Fri, 06 May 2016 04:11:38 GMTContent-Type: text/html; charset=UTF-8Connection: keep-aliveX-Powered-By: PHP/5.6.20Link: <http://[your-server-IP]/wp-json/>; rel="https://api.w.org/"

As you see, on my server, the version number of Nginx is 1.10.0, and the version number of PHP is 5.6.20.

Hide the version number of Nginx

Display Nginx configuration details:

nginx -V

Among those parameters, find the parameter “–conf-path” which defines the location of the Nginx configuration file:

--conf-path=/etc/nginx/nginx.conf

Modify the Nginx configuration file with vi:

sudo vi /etc/nginx/nginx.conf

Add a configuration sentence server_tokens off; within the http { } segment:

http {    ...     sendfile        on;    #tcp_nopush     on;    keepalive_timeout  65;    server_tokens  off;    #<= The sentence is added Here.    #gzip  on;    include /etc/nginx/conf.d/*.conf;}

Save and quit:

:wq

Edit the fastcgi configuration file:

sudo vi /etc/nginx/fastcgi_params

Replace the line:

fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

With:

fastcgi_param  SERVER_SOFTWARE    nginx;

Save and quit:

:wq

Hide the version number of PHP

Modify the PHP configuration file:

sudo vi /etc/php.ini

Find the line:

expose_php = On

Modify it to:

expose_php = Off

Save and quit:

:wq

Finally, put your modifications into effect:

sudo pkill php-fpmsudo php-fpmsudo service nginx restart

Verify your modifications:

curl -I [your-server-IP]:80

The version info of Nginx and PHP are no longer visible:

HTTP/1.1 200 OKServer: nginxDate: Fri, 06 May 2016 05:16:43 GMTContent-Type: text/html; charset=UTF-8Connection: keep-aliveLink: <http://[your-server-IP ]/wp-json/>; rel="https://api.w.org/"

Want to contribute?

You could earn up to $300 by adding new articles

Submit your article
Suggest an update
Request an article

Leave a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.