Jason Turley's Website

How to Hide Nginx Version Information

Banner grabbing is a technique used to get information about services running on a network. It is often used by system admins to keep track of the different services across their organization.

However, attackers also utilize banner grabbing techniques to determine if a system can be exploited. By hiding this information you make their life more difficult, and your server more secure.

Today I will show you how to do this with an Nginx web server.

Before we begin, run your own banner grab with:

$ curl -I jasonturley.xyz
HTTP/1.1 301 Moved Permanently
Server: nginx *(REDACTED VERSION INFO)*
Date: Fri, 16 Apr 2021 17:15:59 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://jasonturley.xyz/

Notice the information in the Server: field. I’ve redacted the version number in this example (don’t want to leak my own info!), but you get the idea.

Hide Nginx Version Information

To hide this info, edit the /etc/nginx/nginx.conf file:

sudo vim /etc/nginx/nginx.conf

The server_tokens module will either enable or disable the nginx version on error pages and in the “Server” response header field.

Turn it off by adding server_tokens off; under the http section:

http {
	...
	server_tokens off;
	...
}

Save and exit the text editor.

Next, check that nothinng was broken with:

sudo nginx -t

It should respond that everything is ok. If not, open the file again and check your syntax.

To apply the changes, the server needs to be restarted.

sudo service nginx reload 	# Debian/Ubuntu
sudo systemctl restart nginx 	# RedHat/Centos

Finally, confirm the changes worked:

$ curl -I jasonturley.xyz
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 16 Apr 2021 17:15:59 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://jasonturley.xyz/

The server version is no longer present!