• 8
name Punditsdkoslkdosdkoskdo

How Can I conceal all server / os info?

I don't want anyone to be able to detect that I'm using NGINX or even Ubuntu from the internet. There are tools out there (such as BuiltWith) which scan servers to detect what tools they're using. Also, some cracking tools might help with deteting. What's the best / closest to that I can get to hiding all this info from the outside?

@Martin F. Yes it does. You will have to compile it from source and change what's needed before compiling the source.

I assume you downloaded the last stable version you decompressed it and you know where the files are. If that's the case, do the following:

nano src/http/ngx_http_header_filter_module.c

Then look for line 48 if I recall correctly.

static char ngx_http_server_string[] = "Server: nginx" CRLF;

Replace nginx with MyWhateverServerNameIWant e.g.

static char ngx_http_server_string[] = "Server: MyWhateverServerNameIWant" CRLF; 


nano src/core/nginx.h 

look for the line

#define NGINX_VER          "nginx/" NGINX_VERSION

change "nginx/" to "MyWhateverServerNameIWant/" so it will read

#define NGINX_VER          "MyWhateverServerNameIWant" NGINX_VERSION

Finally if you want also change the version number

look for the line #define NGINX_VERSION "1.0.4"

and change "1.0.4" for whatever version you want. For example it will read

#define NGINX_VERSION      "5.5.5"

Hope it helps. Nevertheless. Securing a server goes far beyond not showing what's running. PHP is by nature insecure, and so is linux. Off course linux can be pretty secure if all needed measures are taken in order to achieve a decent security.

  • 0
Reply Report

If you have installed nginx using apt-get in Debian or Ubuntu, you might need to install the package nginx-extras to set or clear "Server" header

Once this is done, you can add the lines below in nginx.conf (usually /etc/nginx/nginx.conf):

To clear the "Server" header altogether:

more_clear_headers Server; 

To Set a custom string as "Server"

more_set_headers 'Server: some-string-here';
  • 0
Reply Report

You can stop it outputting the version of Nginx and OS by adding

server_tokens off;

to a httpserver, or location context.

Or if you want to remove the Server header completely, you need to compile Nginx with the Headers More module in, as the header is hard coded in the Nginx source, and this module allows changing any http headers.

 more_clear_headers Server;

However, there are many hidden ways servers perform by accident via their implementation which may help identify the system. e.g. How it responds to a bad SSL request. I don't see a practical way of preventing this.

Some of the things I might suggest:

  • change error templates
  • block all ports except the services needed
  • 0
Reply Report