How to Hide Nginx Server Version in Linux?

Nginx is a popular open-source web server that is used by many companies and websites to serve their content efficiently. By default, Nginx displays the server version number in its response headers, which can be viewed by anyone with access to a web browser or other network analysis tools.

While this information may seem harmless, it can actually pose significant risks to your website's security. Revealing your server version makes your website an easier target for attackers who can research known vulnerabilities specific to that version.

Understanding the Security Risks

Exploitation by Attackers

One of the primary risks associated with revealing your Nginx server version is that it makes your website an easier target for hackers. By knowing which version of Nginx you are using, an attacker can research known vulnerabilities and exploits that may work on your specific server. This information can then be used to launch targeted attacks that could potentially compromise your website's security.

Increased Attack Surface

By advertising the exact software version you are running, you make it easy for attackers to plan targeted attacks against known vulnerabilities or weaknesses in that specific software. This can lead to a higher likelihood of successful attacks and more severe consequences if those attacks succeed.

Methods to Hide Nginx Server Version

Method 1: Editing the Configuration File

The most straightforward way to hide the Nginx server version is by editing the main configuration file. Follow these steps

Step 1: Open the Nginx configuration file using a text editor

sudo nano /etc/nginx/nginx.conf

Step 2: Add or modify the server_tokens directive in the http block

http {
    server_tokens off;
    # other configurations...
}

Step 3: Test the configuration for syntax errors

sudo nginx -t

Step 4: If no errors are found, restart Nginx to apply changes

sudo systemctl restart nginx

Method 2: Using the headers-more Module

Another approach is to use the headers-more third-party module, which allows complete removal or modification of HTTP response headers sent by Nginx.

Step 1: Install the headers-more module (if not already installed)

sudo apt-get install nginx-module-headers-more

Step 2: Load the module in your Nginx configuration

load_module modules/ngx_http_headers_more_filter_module.so;

Step 3: Add the directive to hide or modify the Server header

http {
    more_set_headers 'Server: CustomServer';
    # or completely remove it:
    # more_clear_headers 'Server';
}

Additional Security Measures

Disable Directory Listing

Directory listing allows attackers to browse through directories and files on your web server. To disable it, add the following directive

server {
    autoindex off;
    # other server configurations...
}

Enable HTTPS Encryption

HTTPS encryption ensures that data sent between clients and servers cannot be intercepted. Configure SSL/TLS in your server block

server {
    listen 443 ssl;
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    # other SSL configurations...
}

Implement Access Controls

Limit access to your web server using IP whitelisting or password protection

# IP-based access control
location /admin {
    allow 192.168.1.0/24;
    deny all;
}

# Password protection
location /secure {
    auth_basic "Restricted Content";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Verification

After implementing these changes, verify that the server version is hidden by checking the HTTP headers

curl -I http://your-domain.com

The Server header should either be absent or show your custom value instead of the Nginx version.

Conclusion

Hiding your Nginx server version is a simple but effective security measure that reduces your attack surface. By implementing the server_tokens off directive or using third-party modules, you can prevent attackers from easily identifying your server version and researching specific vulnerabilities. Combined with other security measures like HTTPS and access controls, this helps create a more secure web server environment.