How to prevent exploit attacks by hiding server version (Nginx / Apache2) πŸ•΅

1. Overview

Exploits are often targeted to a very specific version of a software.

Nginx and Apache servers respond by default with their server version to http requests which is a potential weakness.

If an attacker knows the exact server version and it is an outdated one, then it is easy to tailor an attack with known vulnerabilities.

2. How to stop sending server version : Apache2

In an Apache system we edit the apache2.conf or the httpd.conf located in /etc/apache2/apache2.conf and /etc/httpd/conf/httpd.conf , respectively.

The following two lines have to be present:

ServerTokens Prod
ServerSignature Off

If apache2 is running via systemd (Ubuntu 15.04+) you restart it by:

sudo systemctl restart apache2  

In other cases you use service :

sudo service apache2 restart 	

3. How to stop sending server version : Nginx

For Nginx servers we edit our custom config file wich is usually located under /etc/nginx/sites-enabled.

In order to turn off sending the exact server version we add one (highlighted below) line to our .conf file (parts have been omitted of course):

#....
server_tokens off; ## Don't show the nginx version number, a security best practice

upstream php-handler {
    server 127.0.0.1:9000;
}

server {
    listen 80;
    server_name blabla123blabla123.net;
        location / {
                return 301 https://$server_name$request_uri; # enforce https
        }
    location /tomcat/ {
        proxy_pass http://localhost:8080/;
        }
}

server {
    listen 80;
    server_name www.blabla123blabla123.com blabla123blabla123..com;
        location / {
                return 301 https://www.blabla123blabla123.com;
        }
}

#....

Note that this setting applies to all underlying server blocks. Of course it is possible to overwrite this setting locally in a server block again.

Now, we can test our configuration with

sudo nginx -t	

… and apply the new version by reloading nginx :

sudo nginx -s reload

3. Conclusion

The end result will look like this:

It is pretty simple to update your server config and hide your server version.

If you are also running a php processor you might also want to hide which version you have deployed.

Leave a Reply

Your email address will not be published. Required fields are marked *