Hackers mostly exploit, when they know server name and its version. We can reduce the chances first by hiding the name and version of the Nginx. Secondly, by regularly updating the tools we use.
This quick post will guide you on renaming the Nginx server name and remove version from the headers
If you haven't install Nginx or you dont know how to install Nginx in a ubuntu machine you can follow this tutorial
You can check if the server is running by using below command
sudo service nginx status
Let's see when request the server, what we get in response header
ubuntu@ip-172-31-37-234:~$ curl -I localhost
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 22 Feb 2022 20:57:32 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 22 Feb 2022 20:56:10 GMT
Connection: keep-alive
ETag: "62154dea-264"
Accept-Ranges: bytes
To rename the default server we need a directive called more_set_headers but this doesn't comes default with Nginx we need to install a dynamic module called headers-more-nginx-module
If you have installed nginx ubuntu package, you need download the same version of Nginx already installed. This need to be done to compile the dynamic module.
Lets download and unzip the nginx
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xvzf nginx-1.18.0.tar.gz
Since have already installed nginx we can view the list of modules installed. You can do that by using
nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-BUo7Uw/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module
Lets copy the output and pass them when recompiling the nginx-with-headers-more module
Let's download and install the nginx-with-headers-more module
git clone https://github.com/openresty/headers-more-nginx-module.git
cd nginx-1.18.0/
./configure --add-dynamic-module=/home/ubuntu/headers-more-nginx-module <--with... paste the previously installed module from above nginx -V command>
make
Once its done we have module in /home/ubuntu/nginx-1.18.0/objs directory. We need to move this to existing installed nginx modules directory
sudo cp ngx_http_headers_more_filter_module.so /usr/lib/nginx/modules/
Now the headers-more-nginx-module is available to use. Go to the nginx.conf file include the installed module and add both directives to http block
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_http_headers_more_filter_module.so;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
more_set_headers 'Server: Gandalf'; #Gandalf will protect your server from balrog.
}
Restart the nginx server
sudo service nginx restart
Let check again the response header
curl -I localhost
HTTP/1.1 200 OK
Date: Tue, 22 Feb 2022 21:57:08 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 22 Feb 2022 20:56:10 GMT
Connection: keep-alive
ETag: "62154dea-264"
Server: Gandalf
Accept-Ranges: bytes
If you want complete remove the server name, pass server name empty like this in nginx.conf file
more_set_headers 'Server: ';
Output
curl -I localhost
HTTP/1.1 200 OK
Date: Tue, 22 Feb 2022 21:58:02 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 22 Feb 2022 20:56:10 GMT
Connection: keep-alive
ETag: "62154dea-264"
Accept-Ranges: bytes
Congratulations! You have successfully renamed the server name and removed the version.
Hope this post was helpful. If you enjoyed this post, share it.
Top comments (0)