How to Hide Version Numbers of Nginx and PHP on a LEMP Server
If you are running one or more websites based on the LEMP stack, a practical security measure is to hide the version numbers of Nginx and PHP. This would prevent hackers from using version-specific security breaches to attack your servers.
Let’s have a look at how to implement this measure on a Vultr WordPress server instance which is based on the LEMP stack. All of the instructions in this article should apply to other LEMP-based Vultr apps as well.
Determine current visibility of version numbers
curl -I [your-server-IP]:80
Then you will see the result, which resembles:
HTTP/1.1 200 OKServer: nginx/1.10.0Date: Fri, 06 May 2016 04:11:38 GMTContent-Type: text/html; charset=UTF-8Connection: keep-aliveX-Powered-By: PHP/5.6.20Link: <http://[your-server-IP]/wp-json/>; rel="https://api.w.org/"
As you see, on my server, the version number of Nginx is 1.10.0, and the version number of PHP is 5.6.20.
Hide the version number of Nginx
Display Nginx configuration details:
nginx -V
Among those parameters, find the parameter “–conf-path” which defines the location of the Nginx configuration file:
--conf-path=/etc/nginx/nginx.conf
Modify the Nginx configuration file with vi
:
sudo vi /etc/nginx/nginx.conf
Add a configuration sentence server_tokens off;
within the http { }
segment:
http { ... sendfile on; #tcp_nopush on; keepalive_timeout 65; server_tokens off; #<= The sentence is added Here. #gzip on; include /etc/nginx/conf.d/*.conf;}
Save and quit:
:wq
Edit the fastcgi configuration file:
sudo vi /etc/nginx/fastcgi_params
Replace the line:
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
With:
fastcgi_param SERVER_SOFTWARE nginx;
Save and quit:
:wq
Hide the version number of PHP
Modify the PHP configuration file:
sudo vi /etc/php.ini
Find the line:
expose_php = On
Modify it to:
expose_php = Off
Save and quit:
:wq
Finally, put your modifications into effect:
sudo pkill php-fpmsudo php-fpmsudo service nginx restart
Verify your modifications:
curl -I [your-server-IP]:80
The version info of Nginx and PHP are no longer visible:
HTTP/1.1 200 OKServer: nginxDate: Fri, 06 May 2016 05:16:43 GMTContent-Type: text/html; charset=UTF-8Connection: keep-aliveLink: <http://[your-server-IP ]/wp-json/>; rel="https://api.w.org/"
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article
Leave a Comment