Server Signature is type of foot-printing in which the version number of web server module like Ngnix and PHP are considered as known by attackers for collection of data for foot-printing of servers by using the simple Linux commands or using some tools or some web browsers for hiding the server signature is necessary to remove the information from the sets to secure the web servers from the external attacks.
Step-1 : Check the Nginx version by typing
First verify if server is showing Nginx version or not by the command
# curl -I http://www.techbrown.com
Sample Output
HTTP/1.1 200 OK Server: nginx/1.4.4 Date: Fri, 5 Jun 2015 11:38:47 CDT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.4.23 Set-Cookie: CACHED_FRONT_FORM_KEY=bCunlLxt1Sw1qHfw; path=/ P3p: CP="CAO PSA OUR" WCN-WEB01: WCNWEB01
Step-2 : Edit the Nginx Configuration File
Goto nginx.conf
# vi /etc/nginx/nginx.conf
Add below parameter and save
server_tokens off;
Like this
user nginx; worker_processes 4; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' ' $status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; keepalive_timeout 65; server_tokens off; gzip on; gzip_static on; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; gzip_buffers 16 8k; gzip_vary on; ## Detect when HTTPS is used map $scheme $fastcgi_https { default off; https on; } include /etc/nginx/conf.d/*.conf;
Step-3 : Edit the PHP configuration file to edit the settings
Then goto php.ini
file and set expose_php = Off
# vi /etc/php.ini
expose_php = Off
Note: (O must be capital)
Step-4 : Check and verify the Nginx and PHP-FPM services
Reload Nginx and php-fpm services and check again
# curl -I http://www.techbrown.com
It must now hide version and server signature as shown.
HTTP/1.1 200 OK Server: nginx Date: Fri, 5 Jun 2015 11:56:03 CDT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding Set-Cookie: CACHED_FRONT_FORM_KEY=NX3yUkgwxgJwQRLR; path=/ P3p: CP="CAO PSA OUR" WCN-WEB01: WCNWEB01
Congratulations now you have hidden the Nginx server signature and PHP version on Ubuntu and CentOS.