When using Apache and PHP, the version information is included in the header in the HTTP request. With this info being provided it can provide hackers information of potentially outdated services on a server allowing them to compromise them. If you hide this information it can help secure your servers.
Apache
Edit the configuration file
#Centos/Redhat/Fedora vim /etc/httpd/conf/httpd.conf #Ubuntu/Debian vim /etc/apache2/conf-enabled/security.conf
Change the ServerTokens and ServerSignature directives to Prod and Off. Comment out the old and restart Apache.
#ServerTokens Minimal ServerTokens Prod #ServerSignature On ServerSignature Off
PHP
Edit the configuration file
#Centos/Redhat/Fedora
vim /etc/php.ini
#Ubuntu/Debian
vim /etc/php/VERSION/apache2/php.ini
Change the expose_php value inside the config file. Comment out the old and restart Apache.
#expose_php = On expose_php = Off
Testing
To test the server, just run some telnet commands to confirm only basic server info is provided, type the following
curl -I localhost 80
HEAD / HTTP/1.0
<enter again>
HTTP/1.1 200 OK
Date: Mon, 06 May 2019 03:47:25 GMT
Server: Apache
Connection: close
Content-Type: text/html;charset=UTF-8
Connection closed by foreign host.
Example
Notes
Other Apache ServerToken Directives
ServerTokens Full (or not specified) Server sends (e.g.): Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2 ServerTokens Prod[uctOnly] Server sends (e.g.): Server: Apache ServerTokens Major Server sends (e.g.): Server: Apache/2 ServerTokens Minor Server sends (e.g.): Server: Apache/2.4 ServerTokens Min[imal] Server sends (e.g.): Server: Apache/2.4.2 ServerTokens OS Server sends (e.g.): Server: Apache/2.4.2 (Unix)