Hiding the version of the software used on the server is a good practice to confuse potential hackers. After all, knowing the version, for example, a web server, you can try to exploit a vulnerability that is relevant for this version.
And if the hacker does not know which version of software is used on the server, the selection of the vulnerability becomes a little more difficult. This page presents the parameters of some applications that allow you to hide the version and even the fact of using the service itself.
The content of the article:
To hide the version of the nginx server being used, add the following line to the /etc/nginx/nginx.conf configuration file:
You can also change the header sent by the server.
To hide the Apache version, open the /etc/apache2/conf.d/security.conf file and set the parameter there:
By default, postfix does not display its version in responses when connecting. But it shows that it is used exactly and the installed OS on the server (Debian, in our case :). It can be hidden.
Open the /etc/postfix/main.cf file, delete from the smtpd_banner parameter (Debian / GNU).
smtpd_banner = $ myhostname ESMTP $ mail_name (Debian / GNU)
Then we write the parameter:
mail_name = MailServer
After restarting Postfix, when they connect to the server, clients will see something like this.
root @ localhost: ~ # telnet localhost 25 Trying :: 1 ... Trying 127.0.0.1 ... Connected to localhost. Escape character is '^]'. 220 example.com ESMTP MailServer
And in the letters will be displayed such a headline:
Received: by example.com (MailServer, from userid 1001)
The web server can transfer the version of php used in the headers.
X-Powered-By: PHP / 5.6.19-0 + deb8u1
Parameter is responsible for hiding it:
expose_php = Off
You can install it in several ways:
- Edit the /etc/php5/*/php.ini file
- In the php-fpm pool file:
php_admin_value[expose_php] = "Off"
- In the apache virtual host configuration file:
php_admin_value expose_php Off
In general, with regard to MySQL, it makes no sense to hide the version. But you should restrict access to it from the outside, if you do not need external connections (for which you should allow access only from specific IP). Therefore, in the configuration file /etc/mysql/my.cnf, we change the parameter:
bind-address = 127.0.0.1
Here, too, nothing complicated. For hiding the version (and the fact of use) is responsible server.tag. You can specify something else altogether:
server.tag = "FrontPage"
It should be remembered that after changing the configuration files, each service should be restarted. ;)
And also adhere to the rule "Do not chat."