How to hide PHP 5/7 version when using Nginx

ADVERTISEMENTS



How to find out PHP version using the CLI

I am using PHP 5.6.xx and Nginx server on an Apline Linux server . I want to hide ‘X-Powered-By: PHP/5.6.32’ or ‘x-powered-by: PHP/7.3.6’ HTTP header. How can I hide PHP version when using Nginx along with PHP-fpm5 or PHP-fpm7?By default, client/user/browser see information about your PHP and web server version. If you forgot to update your PHP version, an attacker can use version information to attack or find vulnerabilities in your PHP version.Let us see how to hide PHP version on a Linux or Unix-like system.

You need to use the curl command as follows:

curl -IL https://some-server-ip-OR-domain-name/

curl -IL https://server1.cyberciti.biz/

Sample outputs:

HTTP/2 200 server: nginx date: Sun, 23 Jun 2019 20:48:48 GMT content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.3.6 expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache x-robots-tag: noindex, noarchive strict-transport-security: max-age=15768000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-whome: l-cbz01 referrer-policy: no-referrer-when-downgrade

Hiding your PHP version

You need to edit/create a file named custom.ini as per your Linux/Unix variant. Do not edit php.ini file as it might get updated/replaced with your PHP version. Here is a quick list:

Alpine Linux and PHP v5.6.xx : /etc/php5/conf.d/custom.ini Alpine Linux and PHP v7.xx : /etc/php7/conf.d/custom.ini Debian/Ubuntu Linux and PHP v7.xx : /etc/php/7.0/fpm/conf.d/custom.ini RHEL/Fedora/CentOS Linux : /etc/php.d/custom.ini

You can always find php directory location using php* and grep command:

$ php -i | more

$ php -i | grep -i -A4 'Additional .ini files parsed'

$ php-fpm5 -i | grep -i -A4 'Additional .ini files parsed'

$ php-fpm7.0 -i | grep -i -A4 'Additional .ini files parsed'

Sample outputs (look for directory name that stores all .ini files):

Configuration File ( php.ini ) Path = > /etc/php/7.0/fpm Loaded Configuration File = > /etc/php/7.0/fpm/php.ini Scan this dir for additional .ini files = > /etc/php/7.0/fpm/conf.d Additional .ini files parsed = > /etc/php/7.0/fpm/conf.d/10-mysqlnd.ini, /etc/php/ 7.0 /fpm/conf.d/ 10 -opcache.ini, /etc/php/ 7.0 /fpm/conf.d/ 10 -pdo.ini, Configuration File (php.ini) Path => /etc/php/7.0/fpm Loaded Configuration File => /etc/php/7.0/fpm/php.ini Scan this dir for additional .ini files => /etc/php/7.0/fpm/conf.d Additional .ini files parsed => /etc/php/7.0/fpm/conf.d/10-mysqlnd.ini, /etc/php/7.0/fpm/conf.d/10-opcache.ini, /etc/php/7.0/fpm/conf.d/10-pdo.ini,

Add the following line to custom.ini as per your setup:

############################################## ## this is for Alpine Linux and PHP v5.6.xx ## ############################################## echo 'expose_php = off' >> / etc / php5 / conf.d / custom.ini ############################################## ## this is for Alpine Linux and PHP v5.6.xx ## ############################################## echo 'expose_php = off' >> /etc/php5/conf.d/custom.ini

For Alpine Linux and PHP 7.x:

echo 'expose_php = off' >> / etc / php7 / conf.d / custom.ini echo 'expose_php = off' >> /etc/php7/conf.d/custom.ini

The syntax depends upon your PHP version:

### [ Alpine linux restart php-fpm ] ##

$ sudo /etc/init.d/php-fpm restart

### [ RHEL/CentOS 5.x/6.x restart php-fpm ] ##

$ sudo service php-fpm restart

### [ RHEL/CentOS 7.x restart php-fpm ] ##

$ sudo systemctl restart php-fpm

### [ Debian/Ubuntu Linux latest restart php-fpm ] ##

$sudo service php7.0-fpm restart

### [ FreeBSD restart php-fpm ] ##

$ sudo service php-fpm restart

### [ Alpine Linux restart php-fpm7 ] ##

$ sudo /etc/init.d/php-fpm7 restart



Verification

Use the curl command again:

$ curl -IL https://some-server-ip-OR-domain-name/

$ curl -IL https://server1.cyberciti.biz/

Sample outputs:

HTTP/2 200 server: nginx date: Sun, 23 Jun 2019 20:56:01 GMT content-type: text/html; charset=UTF-8 set-cookie: PHPSESSID=q49sd1armm17j7a8l658538n74; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache x-robots-tag: noindex, noarchive strict-transport-security: max-age=15768000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-whome: l-cbz01 referrer-policy: no-referrer-when-downgrade

You can also use the nmap command as follows:

sudo nmap -sV --script=http-php-version server-ip-here

sudo nmap -sV --script=http-php-version server1.cyberciti.biz

Sample outputs:

[ sudo ] password for vivek: Starting Nmap 7.70 ( https://nmap.org ) at 2019 -06- 24 02: 26 IST Nmap scan report for newsletter.cyberciti.biz ( 96.126.119.5 ) Host is up ( 0.26s latency ) . rDNS record for 96.126.119.5: nb- 96 - 126 - 119 - 5 .dallas.nodebalancer.linode.com Not shown: 998 closed ports PORT STATE SERVICE VERSION 80 /tcp open http nginx |_http-server-header: nginx 443 /tcp open ssl/http nginx |_http-server-header: nginx Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address ( 1 host up ) scanned in 21.20 seconds [sudo] password for vivek: Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-24 02:26 IST Nmap scan report for newsletter.cyberciti.biz (96.126.119.5) Host is up (0.26s latency). rDNS record for 96.126.119.5: nb-96-126-119-5.dallas.nodebalancer.linode.com Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx |_http-server-header: nginx 443/tcp open ssl/http nginx |_http-server-header: nginx Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.20 seconds

A warning about hiding PHP version

This technique falls under Security Through Obscurity. Even if nobody outside of your org allowed to find out anything about PHP version, an attacker can still guess or find your PHP version using other methods such as fingerprinting. I strongly suggest that you apply PHP/Nginx/Apache patches on time and write secure code. Updating PHP is pretty simple as per your Linux/Unix variant:

Update PHP and other apps on an Ubuntu/Debian Linux

Type the following apt command/apt-get command:

$ sudo apt update

$ sudo apt upgrade

Update PHP and other apps on a RHEL/CentOS/Fedora Linux

Type the following yum command:

$ sudo yum update

Update PHP and other apps on an Alpine Linux

Type the following apk command:

# apk update && apk upgrade

See also