Can I hide all server / os info?

Question

I don't want anyone to be able to detect that I'm using NGINX or even Ubuntu from the internet. There are tools out there (such as BuiltWith) which scan servers to detect what tools they're using. Also, some cracking tools might help with deteting. What's the best / closest to that I can get to hiding all this info from the outside?

score 194 · Accepted Answer · edited Nov 02 '15 at 05:41

You can stop it outputting the version of Nginx and OS by adding

server_tokens off;

to a http, server, or location context.

Or if you want to remove the Server header completely, you need to compile Nginx with the Headers More module in, as the header is hard coded in the Nginx source, and this module allows changing any http headers.

 more_clear_headers Server;

However, there are many hidden ways servers perform by accident via their implementation which may help identify the system. e.g. How it responds to a bad SSL request. I don't see a practical way of preventing this.

Some of the things I might suggest:

change error templates
block all ports except the services needed

score 60 · Answer 2 · answered Mar 29 '16 at 04:19

If you have installed nginx using apt-get in Debian or Ubuntu, you might need to install the package nginx-extras to set or clear "Server" header

Once this is done, you can add the lines below in nginx.conf (usually /etc/nginx/nginx.conf):

To clear the "Server" header altogether:

more_clear_headers Server;

To Set a custom string as "Server"

more_set_headers 'Server: some-string-here';

score 26 · Answer 3 · edited Sep 14 '16 at 00:27

@Martin F. Yes it does. You will have to compile it from source and change what's needed before compiling the source.

I assume you downloaded the last stable version you decompressed it and you know where the files are. If that's the case, do the following:

nano src/http/ngx_http_header_filter_module.c

Then look for line 48 if I recall correctly.

static char ngx_http_server_string[] = "Server: nginx" CRLF;

Replace nginx with MyWhateverServerNameIWant e.g.

static char ngx_http_server_string[] = "Server: MyWhateverServerNameIWant" CRLF;

Then

nano src/core/nginx.h

look for the line

#define NGINX_VER          "nginx/" NGINX_VERSION

change "nginx/" to "MyWhateverServerNameIWant/" so it will read

#define NGINX_VER          "MyWhateverServerNameIWant" NGINX_VERSION

Finally if you want also change the version number

look for the line #define NGINX_VERSION "1.0.4"

and change "1.0.4" for whatever version you want. For example it will read

#define NGINX_VERSION      "5.5.5"

Hope it helps. Nevertheless. Securing a server goes far beyond not showing what's running. PHP is by nature insecure, and so is linux. Off course linux can be pretty secure if all needed measures are taken in order to achieve a decent security. As far as PHP is concerned I would recommend using Suoshin to help harden the security of your code.

score 20 · Answer 4 · edited Apr 29 '20 at 07:40

20

1) Install nginx-extras package alongside nginx:

apt install nginx-extras

2) Open nginx.conf and add following lines inside http block:

more_clear_headers Server;
server_tokens off;

3) Restart nginx

edited Apr 29 '20 at 07:40

num8er

103

answered Jun 02 '17 at 09:30

Aamish Baloch

301

score 7 · Answer 5 · answered Dec 18 '15 at 05:45

After a lot of time working out how to do a custom flavor of nginx on ubuntu I realized you can use the lua module for this.

On ubuntu 14.04 if you install the nginx-extras package you can remove the server header by using:

header_filter_by_lua 'ngx.header["server"] = nil';

Throw this in the http block and every request will be lacking a Server header.

If it doesn't work run nginx -V to verify that you have the lua module compiled into your copy of nginx. If not, there is likely an alternate package you can use to get it.

score 7 · Answer 6 · answered Oct 02 '17 at 07:08

Instead of the header_filter_by_lua it is recommended to use the new directive header_filter_by_lua_block which inlines the Lua source directly between curly braces ({}). With this it is not needed to escape special characters.

header_filter_by_lua_block { ngx.header["server"] = nil }

https://github.com/openresty/lua-nginx-module#header_filter_by_lua_block

score 7 · Answer 7 · answered Dec 23 '19 at 12:07

Just want to point out that even though the server header is removed from response, the name of the server (nginx or openresty e.g.) is still clearly visible in the html error response that the server sends in case of an error.

Anyone can very easily get this response by e.g. sending a header that is too long. Nginx will return a 400 Bad Request, that does not contain a server header (if fixed), but the html itself will show it:

P.S. I don't know how to get rid of this one as well, really the html itself will give it away, so there should be a way perhaps to not generate these at all?

score 3 · Answer 8 · answered Nov 22 '21 at 12:33

As mentioned by rapstacke in the comments, nginx-extras installs a lot extra stuff (surprise). In addition to that, I found out that after installing nginx-extras, nginx would fail to restart after executing systemctl reload nginx a couple of times.

If you only want to remove the server header, you should install libnginx-mod-http-headers-more-filter:

sudo apt-get install libnginx-mod-http-headers-more-filter

This works for me without any problems on Ubuntu 20.04.

score 1 · Answer 9 · answered Jun 18 '18 at 23:25

First and foremost: Why using an extra module as Headers More Nginx? Only to hide the server header. If a few lines, simple patch can reach the same solution for you.

As using an extra module could result in instability (how well has it been tested with your environment? With your other modules etc.) or insecurity (is this module regularly updated with bug and/or security related fixes?)

Secondly. This thread describes as reply 279389 how you can adjust the Nginx code to change the server header. Problem is that they have forgotten HTTP/2. In short, nothing will change. The server header will still be visible.

Less is more is better. Ok I admit, I have also been looking for a good solution for a long time. But finally found:

Nginx server header removal patch

I am finally redeemed from that annoying Nginx server header.

score 0 · Answer 10 · answered Apr 27 '20 at 09:41

Use below methods in source; to eliminate nginx string from error messages

sed -i 's@"nginx/"@"-/"@g' src/core/nginx.h
sed -i 's@r->headers_out.server == NULL@0@g' src/http/ngx_http_header_filter_module.c
sed -i 's@r->headers_out.server == NULL@0@g' src/http/v2/ngx_http_v2_filter_module.c
sed -i 's@<hr><center>nginx</center>@@g' src/http/ngx_http_special_response.c

then re-compile

score 0 · Answer 11 · answered Sep 25 '24 at 00:30

Nginx server disclosure happens through various status codes and therefore I use the combination of all of the following:

server_tokens off;
more_clear_headers Server;
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 599 =444 /;
Use hexedit and manually replace the string "nginx" with something like "hiden".

Do not forget to take a backup of nginx executable first before attempting the last step. You may need to stop the server before editing and start after.

score 0 · Answer 12 · edited Apr 13 '17 at 12:14

Run this bash function in nginx source code folder. In nginx-$version, not in src/.

Based on this answer.

hidengxver () {
read -r -p "Your own http_server_string for safety: " http_server_string
first_string="static char ngx_http_server_string\[\] = \"Server: nginx\" CRLF;"
second_string="static char ngx_http_server_string\[\] = \"$http_server_string\" CRLF;"
sed -ire "s/$first_string/$second_string/g" src/http/ngx_http_header_filter_module.c

read -r -p "Your own NGINX_VER const: " nginx_ver
third_string="\#define NGINX\_VER          \"nginx\/\" NGINX\_VERSION"
forth_string="\#define NGINX\_VER          \"$nginx_ver\" NGINX\_VERSION"
sed -ire "s/$third_string/$forth_string/g" src/core/nginx.h

real_nginx_version=$( grep '#define NGINX_VERSION' src/core/nginx.h | gawk -F'"' '{print $2}' )
read -r -p "Your own NGINX_VERSION const: " new_nginx_version
fifth_string="\#define NGINX\_VERSION      \"$real_nginx_version\""
sixth_string="\#define NGINX\_VERSION      \"$new_nginx_version\""
sed -ire "s/$fifth_string/$sixth_string/g" src/core/nginx.h
}

score -1 · Answer 13 · edited May 29 '20 at 05:48

-1

Nginx-extra package is deprecated now.

The following therefore did not work for me as I tried installing various packages:

more_set_headers 'Server: My Very Own Server';

You can just do the following and no server or version information will be sent back

server_tokens '';

If you just want to remove the version number this works:

server_tokens off;

edited May 29 '20 at 05:48

Community

1

answered May 06 '20 at 06:11

LazyDeveloper

1

Can I hide all server / os info?

13 Answers13

Linked