TL;DR
Nmap can reveal your nginx version, which is a security risk. This guide shows you how to block it by hiding the server token and disabling unnecessary modules.
Steps
- Edit Your Nginx Configuration File
- Hide the Server Token
- Disable Unnecessary Modules
- Test Your Configuration
- Restart Nginx
- Verify the Changes with nmap
- Firewall Considerations
The main configuration file is usually located at /etc/nginx/nginx.conf or in a site-specific config under /etc/nginx/sites-available/. Use your favourite text editor (e.g., nano, vim) with root privileges.
sudo nano /etc/nginx/nginx.confAdd or modify the server_tokens off; directive within the http {} block of your configuration file. This prevents nginx from revealing its version in error pages and HTTP headers.
http {
...
server_tokens off;
...
}Some modules expose information about your setup. Remove or comment out any modules you don’t need. For example, if you aren’t using the ngx_http_stub_status_module, disable it.
load_module modules/ngx_http_stub_status_module.so; # Comment this line
Before restarting nginx, always test your configuration for syntax errors.
sudo nginx -tIf the test is successful, you’ll see a message like: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok and nginx: configuration file /etc/nginx/nginx.conf test is successful.
Apply the changes by restarting nginx.
sudo systemctl restart nginxRun an nmap scan against your server to confirm that the version information is no longer being detected. Use a command like this:
nmap -sV Look for the ‘Service’ line in the output. It should not display nginx’s specific version number. You might see something generic like ‘http’ or no service information at all.
While hiding the server token is a good first step, consider using a firewall (like ufw or iptables) to further restrict access to your server and limit potential attack vectors. This isn’t directly related to nmap detection but improves overall cyber security.