If you are running one or more websites based on the LEMP stack, a practical security measure is to hide the version numbers of Nginx and PHP. This would prevent hackers from using version-specific security breaches to attack your servers.
Let’s have a look at how to implement this measure on a Vultr WordPress server instance which is based on the LEMP stack. All of the instructions in this article should apply to other LEMP-based Vultr apps as well.
Determine current visibility of version numbers
curl -I [your-server-IP]:80
Then you will see the result, which resembles:
HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Fri, 06 May 2016 04:11:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.20
Link: <http://[your-server-IP]/wp-json/>; rel="https://api.w.org/"
As you see, on my server, the version number of Nginx is 1.10.0, and the version number of PHP is 5.6.20.
Hide the version number of Nginx
Display Nginx configuration details:
nginx -V
Among those parameters, find the parameter “–conf-path” which defines the location of the Nginx configuration file:
--conf-path=/etc/nginx/nginx.conf
Modify the Nginx configuration file with vi
:
sudo vi /etc/nginx/nginx.conf
Add a configuration sentence server_tokens off;
within the http { }
segment:
http {
...
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
server_tokens off; #<= The sentence is added Here.
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
Save and quit:
:wq
Edit the fastcgi configuration file:
sudo vi /etc/nginx/fastcgi_params
Replace the line:
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
With:
fastcgi_param SERVER_SOFTWARE nginx;
Save and quit:
:wq
Hide the version number of PHP
Modify the PHP configuration file:
sudo vi /etc/php.ini
Find the line:
expose_php = On
Modify it to:
expose_php = Off
Save and quit:
:wq
Finally, put your modifications into effect:
sudo pkill php-fpm
sudo php-fpm
sudo service nginx restart
Verify your modifications:
curl -I [your-server-IP]:80
The version info of Nginx and PHP are no longer visible:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 May 2016 05:16:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Link: <http://[your-server-IP ]/wp-json/>; rel="https://api.w.org/"
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article