隐藏Nginx版本号！

Posted 2022-10-29 l1-5551

在生产环境中，需要隐藏 nginx 的版本号，以避免安全漏洞的泄漏

一旦有黑客知道Nginx版本号便可以利用Nginx漏洞进行攻击，严重影响到了公司的安全

查看隐藏版本号命令：curl -I http://ip地址

========================================================

安装Nginx后查看：

[root@localhost nginx-1.16.0]# curl -I http://192.168.200.120
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Thu, 12 Sep 2019 03:55:10 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 12 Sep 2019 01:08:46 GMT
Connection: keep-alive
ETag: "5d799a9e-264"
Accept-Ranges: bytes

隐藏方法1【基于源码包】：（安装Nginx后要修改文件必须先卸载Nginx再安装）

[root@localhost ~]# killall -9 nginx                                            //杀死nginx进程
[root@localhost ~]# rm -rf /usr/local/nginx/     
[root@localhost ~]# cd /usr/src/nginx-1.16.0/
[root@localhost nginx-1.16.0]# make clean
rm -rf Makefile objs                                                                
[root@localhost nginx-1.16.0]# cd
[root@localhost ~]# rm -rf /usr/src/nginx-1.16.0/                    //卸载完成

[root@localhost ~]# tar xf nginx-1.16.0.tar.gz -C /usr/src

[root@localhost ~]# cd /usr/src/nginx-1.16.0/

[root@localhost nginx-1.16.0]# vim src/core/nginx.h

修改文件前图示：

修改文件后图示：

[root@localhost nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module

[root@localhost nginx-1.16.0]# make

[root@localhost nginx-1.16.0]# make install

[root@localhost nginx-1.16.0]# curl -I http://192.168.200.120
curl: (7) Failed connect to 192.168.200.120:80; 拒绝连接
[root@localhost nginx-1.16.0]# netstat -anpt | grep nginx
[root@localhost nginx-1.16.0]# nginx
[root@localhost nginx-1.16.0]# netstat -anpt | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21446/nginx: master
[root@localhost nginx-1.16.0]# curl -I http://192.168.200.120
HTTP/1.1 200 OK
Server: apache/2.4.31
Date: Thu, 12 Sep 2019 04:15:38 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 12 Sep 2019 04:13:25 GMT
Connection: keep-alive
ETag: "5d79c5e5-264"
Accept-Ranges: bytes

 方法2【修改配置文件】（不卸载Nginx隐藏版本号，直接修改配置文件）

[root@localhost nginx-1.16.0]# curl -I http://192.168.200.115                           
HTTP/1.1 200 OK  
Server: nginx/1.16.0                                                                               //原版本号
Date: Thu, 12 Sep 2019 05:38:07 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 12 Sep 2019 05:37:35 GMT
Connection: keep-alive
ETag: "5d79d99f-264"
Accept-Ranges: bytes

[root@localhost nginx-1.16.0]# vim /usr/local/nginx/conf/nginx.conf

在sendfile on;后添加一行命令：

server_tokens off;

[root@localhost nginx-1.16.0]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@localhost nginx-1.16.0]# killall -HUP nginx                                     //重新加载配置
[root@localhost nginx-1.16.0]# curl -I http://192.168.200.115                  
HTTP/1.1 200 OK
Server: nginx                                                                                            //修改后的版本号
Date: Thu, 12 Sep 2019 05:45:43 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 12 Sep 2019 05:37:35 GMT
Connection: keep-alive
ETag: "5d79d99f-264"
Accept-Ranges: bytes