curl -I 127.0.0.1:80/index.html
HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Tue, 11 Feb 2020 03:26:52 GMT Content-Type: text/html; charset=utf-8 Content-Length: 3888 Last-Modified: Fri, 20 Sep 2019 03:17:19 GMT Connection: keep-alive Keep-Alive: timeout=15 ETag: "5d8444bf-f30" Content-Encoding: gzip这样就给别人看到服务器nginx版本是1.17.3,有了已知版本,将缩小检测范围,攻击者就会根据对应的nginx版本,要对版本存在漏洞,进行针对性攻击。
进入nginx配置文件的目录,在http { }段里加上server_tokens off; 如:
http { server_tokens off; include mime.types; default_type application/octet-stream; ... 省略其他 ... }
如fastcgi.conf或fcgi.conf(这个配置文件名也可以自定义的,根据具体文件名修改):
找到: fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 改为: fastcgi_param SERVER_SOFTWARE nginx;
#测试、重载nginx配置 nginx -t # 得到如下结果: nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful ## 重载配置 nginx -s reload
curl -I 127.0.0.1:80/index.html
HTTP/1.1 200 OK Server: nginx Date: Tue, 11 Feb 2020 03:26:52 GMT Content-Type: text/html; charset=utf-8 Content-Length: 3888 Last-Modified: Fri, 20 Sep 2019 03:17:19 GMT Connection: keep-alive Keep-Alive: timeout=15 ETag: "5d8444bf-f30" Content-Encoding: gzip