How to hide the server version?

Hi Guys,

is there any directive to hide the exact server version in the header
and error pages?
I don’t mind showing that I’m running nginx but I don’t want to give out
the exact version it is.
It could give attackers additional information if the update is lacking
a version or something like that.

I know, security by obscurity isn’t working well but at least its a
stumbling block.

Regards,

thomas

Use:
server_tokens off;

From:
http://wiki.codemongers.com/NginxHttpHeadersModule

I believe this setting was added in version 0.5.34.

j.

On Mon, May 12, 2008 at 10:47 AM, Thomas S.
[email protected]

Hello,

Thomas S. wrote:

stumbling block.

Just put “server_tokens off;” in your main http configuration.

Don’t forget that if you are running fastcgi, you may have to put
“fastcgi_param SERVER_SOFTWARE nginx;” in your params instead of the
default value.

Hi Renaud,

Fixed that one too for fastcgi. Thanks!

Regards,

thomas

For hiding Nginx from error pages, do I need to tweak the source code
or is there an option somewhere for that?

I created custom global 4xx and 5xx to hide the default nginx ones.
Is that what you need?

Hi Jay,

thanks a lot. Does exactly what I wanted.
Didn’t check the headers module, nearly anything else but not the
headers, duh!

Regards,

thomas

Jay Reitz schrieb:

i have server_tokens off; and neither the headers nor the 404 error
page seem to contain the nginx version.

FWIW, don’t fool yourself that by not showing the version is any more
secure than with the
version displayed.

Can you explain me why it´s not more secure?

Hi Marcos,

I found the file /usr/local/nginx/html/50x.html, but I can’t find the
404 one.

Marcos N. wrote:

Can you explain me why it´s not more secure?

because if someone is really that keen to attack you, they can quickly
figure out which version you are running by running through a number of
permutations, since nginx has only a limited version history.

by process of elimination the would-be hacker would soon realise which
version they would be trying to get into .

These files contain the responses with the server name/type
src/http/ngx_http_special_response.c
src/http/ngx_http_header_filter_module.c

I patch those files before compile nginx.
But I want know how an attacker can found the right server/version
I´m really curiously.

But what if I change my token to an apache2 version?
How can somebody found that it´s nginx, and not apache, cherokee,
lighttpd
or any other server?

On Fri, Jul 04, 2008 at 05:07:50PM -0300, Marcos N. wrote:

But what if I change my token to an apache2 version?
How can somebody found that it?s nginx, and not apache, cherokee, lighttpd
or any other server?

that is an ugly hack (security through obscurity) not a proper secuirty
measure. no matter how hard you try to hide something a security hole
(if any) is there and the attackers tend to throw everything they’ve got
at you, a proper security measure is to monitor this list for security
updates, or if it is in your power doing secuirty audit of the code.

On 7/4/08, Almir K. [email protected] wrote:

that is an ugly hack (security through obscurity) not a proper secuirty measure. no matter how hard you try to hide something a security hole (if any) is there and the attackers tend to throw everything they’ve got at you, a proper security measure is to monitor this list for security updates, or if it is in your power doing secuirty audit of the code.

excellently put.

also - if you’re so worried about this, throw some packet inspecting
firewall in front of your web infrastructure to weed out the common
exploit patterns, port knocking/scanning, etc, etc. hiding the version
may buy you some time, but they’re making the tools so easy to use now
it will just throw the whole kitchen sink at you with one command…

I think that if an attacker doesn’t immediately see the version
number, he will move on to the next website that will have version
number and is easier to attack. Phpbb removed the version number from
the footer, and there is a reason for that.

But how to edit Nginx’ 404 page to not display “Nginx”?

I agree. There´s no such thing as 100% secure, so hide Server signature
I really think make thinks more hard. Perhaps enougth to make somebody
giveup.
But I´m sure that it´s just one thing to do of a hole list, like
firewall
tunning, etc …

Marcos N. wrote:

I think that if an attacker doesn't immediately see the version
number, he will move on to the next website that will have version
number and is easier to attack. Phpbb removed the version number from
the footer, and there is a reason for that.

But how to edit Nginx' 404 page to not display "Nginx"?

I see attack urls against various pieces of software I’ve never had
installed on my system in the logs fairly frequently.

Most modern attackers aren’t going to try and determine your software
version they’re just going to try various attacks hoping to find one
that works.

Janzert

But how to edit Nginx’ 404 page to not display “Nginx”?

Have your own 404 page. More than that, have your own pages for every
possible error.

But this doesn’t change the fact that “Nginx” cannot be removed from all
response headers. It’s Igor’s choice not to have this particular part
configurable and I understand him. If you care enough, edit the
source.

Marc

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs