Disguise nginx version to prevent web Server intrusion

Source: Internet
Author: User
Tags nginx server

In order to prevent hackers from scanning web server information, find the corresponding version vulnerabilities through the corresponding web server information, so as to intrude into the web server, nginx is powerful, but also software, software may have vulnerabilities, such as the nginx-0.6.32 version, which by default may cause server errors to parse any type of files in php, for example, if a jpg Trojan is uploaded to a Forum website and the vulnerability is parsed into a php webshell, attackers can intrude into the website to obtain server permissions, which may cause serious security problems, this allows hackers to attack nginx servers that support php. If the nginx version is exposed and there are security vulnerabilities in the version, your web server will be at risk.

For nginx server, you can modify the nginx header description in the source code, the following take the nginx-1.2.0 version as an example.

  • [Root @ www nginx-1.2.0] # cd src/core/
  • [Root @ www core] # vim nginx. h ------- edit nginx. h file
 

Then, compile and install the SDK properly.

Test Results

Scan hosts with powerful nmap

Use curl to obtain http Request Information

You can also view the effect by accessing a nonexistent URL.

We can see that whether nmap is used to scan the host, or curl is used to obtain the request information for the website http message, or even a nonexistent url of the access request, the web server uses Apache2.2.2, thus hiding our real web server version is the nginx-1.2.0 version, of course, here can be disguised as IIS, Lighthttp, Tengine and even custom names can be, in short, confused the ideas of intruders, protects the security of web servers.

Supplement: if a friend left me a message saying that the 404 page still shows the nginx style, modify the default 404 page.

Add the following content to nginx. conf to specify the 404 page path (/usr/local/nginx/html)

 

Reload the configuration file

 

Access a page that does not exist, and you can see the effect!

 

  1. /*
  2. * Copyright (C) Igor Sysoev
  3. * Copyright (C) Nginx, Inc.
  4. */
  5.  
  6.  
  7. # Ifndef _ NGINX_H_INCLUDED _
  8. # Define _ NGINX_H_INCLUDED _
  9.  
  10.  
  11. # Define nginx_version 1002000
  12. # Define NGINX_VERSION "2.2.2" // The default value is 1.2.0.
  13. # Define NGINX_VER "Apache/" NGINX_VERSION // Nginx is used by default.
  14.  
  15. # Define NGINX_VAR "NGINX"
  16. # Define NGX_OLDPID_EXT ". oldbin"
  17.  
  18.  
  19. # Endif/* _ NGINX_H_INCLUDED _*/
    1. Error_page 404/404 .html;
    2. Location =/404.html {
    3. Root html;
    4. }
    1. /Usr/local/nginx/sbin/nginx-s reload

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.