Can I hide all server / os info?

Question

I don't want anyone to be able to detect that I'm using NGINX or even Ubuntu from the internet. There are tools out there (such as BuiltWith) which scan servers to detect what tools they're using. Also, some cracking tools might help with deteting. What's the best / closest to that I can get to hiding all this info from the outside?

Answer 1

You can stop it outputting the version of Nginx and OS by adding

server_tokens off;

to a http, server, or location context.

Or if you want to remove the Server header completely, you need to compile Nginx with the Headers More module in, as the header is hard coded in the Nginx source, and this module allows changing any http headers.

 more_clear_headers Server;

However, there are many hidden ways servers perform by accident via their implementation which may help identify the system. e.g. How it responds to a bad SSL request. I don't see a practical way of preventing this.

Some of the things I might suggest:

• change error templates
• block all ports except the services needed

Answer 2

If you have installed nginx using apt-get in Debian or Ubuntu, you might need to install the package nginx-extras to set or clear "Server" header

Once this is done, you can add the lines below in nginx.conf (usually /etc/nginx/nginx.conf):

To clear the "Server" header altogether:

more_clear_headers Server; 

To Set a custom string as "Server"

more_set_headers 'Server: some-string-here';

Answer 3

@Martin F. Yes it does. You will have to compile it from source and change what's needed before compiling the source.

I assume you downloaded the last stable version you decompressed it and you know where the files are. If that's the case, do the following:

nano src/http/ngx_http_header_filter_module.c

Then look for line 48 if I recall correctly.

static char ngx_http_server_string[] = "Server: nginx" CRLF;

Replace nginx with MyWhateverServerNameIWant e.g.

static char ngx_http_server_string[] = "Server: MyWhateverServerNameIWant" CRLF; 

Then

nano src/core/nginx.h 

look for the line

#define NGINX_VER          "nginx/" NGINX_VERSION

change "nginx/" to "MyWhateverServerNameIWant/" so it will read

#define NGINX_VER          "MyWhateverServerNameIWant" NGINX_VERSION

Finally if you want also change the version number

look for the line #define NGINX_VERSION "1.0.4"

and change "1.0.4" for whatever version you want. For example it will read

#define NGINX_VERSION      "5.5.5"

Hope it helps. Nevertheless. Securing a server goes far beyond not showing what's running. PHP is by nature insecure, and so is linux. Off course linux can be pretty secure if all needed measures are taken in order to achieve a decent security. As far as PHP is concerned I would recommend using Suoshin to help harden the security of your code.

Answer 4

1) Install nginx-extras package alongside nginx:

apt install nginx-extras

2) Open nginx.conf and add following lines inside http block:

more_clear_headers Server;
server_tokens off;

3) Restart nginx

Answer 5

After a lot of time working out how to do a custom flavor of nginx on ubuntu I realized you can use the lua module for this.

On ubuntu 14.04 if you install the nginx-extras package you can remove the server header by using:

header_filter_by_lua 'ngx.header["server"] = nil';

Throw this in the http block and every request will be lacking a Server header.

If it doesn't work run nginx -V to verify that you have the lua module compiled into your copy of nginx. If not, there is likely an alternate package you can use to get it.

Answer 6

Instead of the header_filter_by_lua it is recommended to use the new directive header_filter_by_lua_block which inlines the Lua source directly between curly braces ({}). With this it is not needed to escape special characters.

header_filter_by_lua_block { ngx.header["server"] = nil }

https://github.com/openresty/lua-nginx-module#header_filter_by_lua_block

Answer 7

Just want to point out that even though the server header is removed from response, the name of the server (nginx or openresty e.g.) is still clearly visible in the html error response that the server sends in case of an error.

Anyone can very easily get this response by e.g. sending a header that is too long. Nginx will return a 400 Bad Request, that does not contain a server header (if fixed), but the html itself will show it:

P.S. I don't know how to get rid of this one as well, really the html itself will give it away, so there should be a way perhaps to not generate these at all?

Answer 8

First and foremost: Why using an extra module as Headers More Nginx? Only to hide the server header. If a few lines, simple patch can reach the same solution for you.

As using an extra module could result in instability (how well has it been tested with your environment? With your other modules etc.) or insecurity (is this module regularly updated with bug and/or security related fixes?)

Secondly. This thread describes as reply 279389 how you can adjust the Nginx code to change the server header. Problem is that they have forgotten HTTP/2. In short, nothing will change. The server header will still be visible.

Less is more is better. Ok I admit, I have also been looking for a good solution for a long time. But finally found:

Nginx server header removal patch

I am finally redeemed from that annoying Nginx server header.

Answer 9

Use below methods in source; to eliminate nginx string from error messages

sed -i 's@"nginx/"@"-/"@g' src/core/nginx.h
sed -i 's@r->headers_out.server == NULL@0@g' src/http/ngx_http_header_filter_module.c
sed -i 's@r->headers_out.server == NULL@0@g' src/http/v2/ngx_http_v2_filter_module.c
sed -i 's@<hr><center>nginx</center>@@g' src/http/ngx_http_special_response.c

then re-compile

Answer 10

Nginx-extra package is deprecated now.

The following therefore did not work for me as I tried installing various packages:

more_set_headers 'Server: My Very Own Server';

You can just do the following and no server or version information will be sent back

server_tokens '';

If you just want to remove the version number this works:

server_tokens off;

Answer 11

As mentioned by rapstacke in the comments, nginx-extras installs a lot extra stuff (surprise). In addition to that, I found out that after installing nginx-extras, nginx would fail to restart after executing systemctl reload nginx a couple of times.

If you only want to remove the server header, you should install libnginx-mod-http-headers-more-filter:

sudo apt-get install libnginx-mod-http-headers-more-filter

This works for me without any problems on Ubuntu 20.04.

Answer 12

Run this bash function in nginx source code folder. In nginx-$version, not in src/.

Based on this answer.

hidengxver () {
read -r -p "Your own http_server_string for safety: " http_server_string
first_string="static char ngx_http_server_string\[\] = \"Server: nginx\" CRLF;"
second_string="static char ngx_http_server_string\[\] = \"$http_server_string\" CRLF;"
sed -ire "s/$first_string/$second_string/g" src/http/ngx_http_header_filter_module.c

read -r -p "Your own NGINX_VER const: " nginx_ver
third_string="\#define NGINX\_VER          \"nginx\/\" NGINX\_VERSION"
forth_string="\#define NGINX\_VER          \"$nginx_ver\" NGINX\_VERSION"
sed -ire "s/$third_string/$forth_string/g" src/core/nginx.h

real_nginx_version=$( grep '#define NGINX_VERSION' src/core/nginx.h | gawk -F'"' '{print $2}' )
read -r -p "Your own NGINX_VERSION const: " new_nginx_version
fifth_string="\#define NGINX\_VERSION      \"$real_nginx_version\""
sixth_string="\#define NGINX\_VERSION      \"$new_nginx_version\""
sed -ire "s/$fifth_string/$sixth_string/g" src/core/nginx.h
}