Thursday, January 8, 2015

Hide NginX and PHP headers to harden your server

Hiding server's information may help protecting your server from malicious server scanning from hackers. Here are some way to hide nginx and php information:

1. NginX

Install nginx-extras to have more options:

$ sudo apt-get install nginx-extras

Open the /etc/nginx/nginx.conf and add those following lines (blue ones) inside the http block:

http {
...
        server_tokens off; # hide the nginx version
        more_set_headers 'Server: My MotherFucking Server'; # Change the Server header
...
}

Then start (or restart) the nginx server:

$ sudo service start nginx


2. PHP

You can hide the php version by modify the file /etc/php5/fpm/php.ini

...
expose_php = Off
...

Restart the php5-fpm process:

$ sudo service php5-fpm restart


Cool!