How to hide kernel information

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

How to hide kernel information

Praveen Kumar K S
Hello,

I have hosted Nginx 1.16.1 on Ubuntu 16.04. Have configured SSL from LetsEncrypt. Everything is running fine. Only port 80 and 443 are allowed.

During security testing, I see that kernel information is exposed on domain. More details at https://www.tenable.com/plugins/nessus/11936

Is there any way to hide kernel information using Nginx ?

Cheers,
PK

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How to hide kernel information

lists@lazygranch.com
Well I know nmap can detect the OS. I don't recall it could detect the rev of the kernel. 

https://nmap.org/book/man-os-detection.html

https://nmap.org/book/defenses.html

Sent: April 27, 2020 9:41 PM
Reply-to: [hidden email]
Subject: How to hide kernel information

Hello,

I have hosted Nginx 1.16.1 on Ubuntu 16.04. Have configured SSL from LetsEncrypt. Everything is running fine. Only port 80 and 443 are allowed.

During security testing, I see that kernel information is exposed on domain. More details at https://www.tenable.com/plugins/nessus/11936

Is there any way to hide kernel information using Nginx ?

Cheers,
PK

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How to hide kernel information

Praveen Kumar K S
SINFP method is used to get the kernel information.

On Tue, Apr 28, 2020 at 11:10 AM lists <[hidden email]> wrote:
Well I know nmap can detect the OS. I don't recall it could detect the rev of the kernel. 



Sent: April 27, 2020 9:41 PM
Reply-to: [hidden email]
Subject: How to hide kernel information

Hello,

I have hosted Nginx 1.16.1 on Ubuntu 16.04. Have configured SSL from LetsEncrypt. Everything is running fine. Only port 80 and 443 are allowed.

During security testing, I see that kernel information is exposed on domain. More details at https://www.tenable.com/plugins/nessus/11936

Is there any way to hide kernel information using Nginx ?

Cheers,
PK
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Regards,

K S Praveen Kumar
M: +91-9986855625


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How to hide kernel information

lists@lazygranch.com
Have you tried it? 
https://securiteam.com/tools/5qp0920ikm/

I ran the nmap OS detection on my own server once and it triggered SSHGuard, locking me out. So a tip is you may want to run SINFP from a disposable IP address if you are running fail2ban, etc. 
Sent: April 27, 2020 10:54 PM
Reply-to: [hidden email]
Subject: Re: How to hide kernel information

SINFP method is used to get the kernel information.

On Tue, Apr 28, 2020 at 11:10 AM lists <[hidden email]> wrote:
Well I know nmap can detect the OS. I don't recall it could detect the rev of the kernel. 



Sent: April 27, 2020 9:41 PM
Reply-to: [hidden email]
Subject: How to hide kernel information

Hello,

I have hosted Nginx 1.16.1 on Ubuntu 16.04. Have configured SSL from LetsEncrypt. Everything is running fine. Only port 80 and 443 are allowed.

During security testing, I see that kernel information is exposed on domain. More details at https://www.tenable.com/plugins/nessus/11936

Is there any way to hide kernel information using Nginx ?

Cheers,
PK
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Regards,

K S Praveen Kumar
M: <a href="tel:+919986855625">+91-9986855625


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How to hide kernel information

Praveen Kumar K S
Okay. I exactly don't know how the Security Testing Team is able to get the kernel information. They use Qualys and Nessus for performing tests. All I can say is only port 443 allowed to the server and I thought asking you guys if it is from Nginx or is there any way to handle it. Server is behind firewall. 

On Tue, Apr 28, 2020 at 11:49 AM lists <[hidden email]> wrote:
Have you tried it? 

I ran the nmap OS detection on my own server once and it triggered SSHGuard, locking me out. So a tip is you may want to run SINFP from a disposable IP address if you are running fail2ban, etc. 
Sent: April 27, 2020 10:54 PM
Reply-to: [hidden email]
Subject: Re: How to hide kernel information

SINFP method is used to get the kernel information.

On Tue, Apr 28, 2020 at 11:10 AM lists <[hidden email]> wrote:
Well I know nmap can detect the OS. I don't recall it could detect the rev of the kernel. 



Sent: April 27, 2020 9:41 PM
Reply-to: [hidden email]
Subject: How to hide kernel information

Hello,

I have hosted Nginx 1.16.1 on Ubuntu 16.04. Have configured SSL from LetsEncrypt. Everything is running fine. Only port 80 and 443 are allowed.

During security testing, I see that kernel information is exposed on domain. More details at https://www.tenable.com/plugins/nessus/11936

Is there any way to hide kernel information using Nginx ?

Cheers,
PK
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Regards,

K S Praveen Kumar
M: <a href="tel:+919986855625" target="_blank">+91-9986855625

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Regards,

K S Praveen Kumar
M: +91-9986855625


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How to hide kernel information

Josef Vybíhal
The test is GUESSing, it's written there in the link you posted. What are your HTTP headers - what do you expose there? Do you expose your nginx version to clients? Like in headers? Error pages? From those, it's possible determine used OS and then guess kernel information. Is your app leaking this info, is simle HTML page "leaking" it too?

In normal conditions, nginx does not expose such information - why would it?. Post your config, or something to work with maybe. Once you say, 80 and 443, then only 443, also you say "I see that kernel information is exposed on domain" - where do you see that? Show us, and help us better understand...

My guess, is: its guessing from some header or error page, where there is info like:
Server: nginx/1.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.25

in headers, for example.

P.

On Tue, Apr 28, 2020 at 3:16 PM Praveen Kumar K S <[hidden email]> wrote:
Okay. I exactly don't know how the Security Testing Team is able to get the kernel information. They use Qualys and Nessus for performing tests. All I can say is only port 443 allowed to the server and I thought asking you guys if it is from Nginx or is there any way to handle it. Server is behind firewall. 

On Tue, Apr 28, 2020 at 11:49 AM lists <[hidden email]> wrote:
Have you tried it? 

I ran the nmap OS detection on my own server once and it triggered SSHGuard, locking me out. So a tip is you may want to run SINFP from a disposable IP address if you are running fail2ban, etc. 
Sent: April 27, 2020 10:54 PM
Reply-to: [hidden email]
Subject: Re: How to hide kernel information

SINFP method is used to get the kernel information.

On Tue, Apr 28, 2020 at 11:10 AM lists <[hidden email]> wrote:
Well I know nmap can detect the OS. I don't recall it could detect the rev of the kernel. 



Sent: April 27, 2020 9:41 PM
Reply-to: [hidden email]
Subject: How to hide kernel information

Hello,

I have hosted Nginx 1.16.1 on Ubuntu 16.04. Have configured SSL from LetsEncrypt. Everything is running fine. Only port 80 and 443 are allowed.

During security testing, I see that kernel information is exposed on domain. More details at https://www.tenable.com/plugins/nessus/11936

Is there any way to hide kernel information using Nginx ?

Cheers,
PK
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Regards,

K S Praveen Kumar
M: <a href="tel:+919986855625" target="_blank">+91-9986855625

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Regards,

K S Praveen Kumar
M: +91-9986855625

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How to hide kernel information

J.R.
In reply to this post by Praveen Kumar K S
> Okay. I exactly don't know how the Security Testing Team is able to get the
> kernel information. They use Qualys and Nessus for performing tests. All I
> can say is only port 443 allowed to the server and I thought asking you
> guys if it is from Nginx or is there any way to handle it. Server is behind
> firewall.

As someone else commented, check your HTTP headers to make sure they
aren't publishing something extremely obvious for the casual scanner.

As for determining kernel version, the web server has zero control
over that. The scanner program you are referring to fingerprints based
on kernel TCP settings / support... i.e. TCP Flags, Window, Options,
MSS, etc...  Totally unrelated to nginx, and the same information
could be gathered on any open service / port.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How to hide kernel information

Praveen Kumar K S
Thank you for your support. I will take all your inputs into consideration to fix this issue.

On Tue, Apr 28, 2020 at 8:47 PM J.R. <[hidden email]> wrote:
> Okay. I exactly don't know how the Security Testing Team is able to get the
> kernel information. They use Qualys and Nessus for performing tests. All I
> can say is only port 443 allowed to the server and I thought asking you
> guys if it is from Nginx or is there any way to handle it. Server is behind
> firewall.

As someone else commented, check your HTTP headers to make sure they
aren't publishing something extremely obvious for the casual scanner.

As for determining kernel version, the web server has zero control
over that. The scanner program you are referring to fingerprints based
on kernel TCP settings / support... i.e. TCP Flags, Window, Options,
MSS, etc...  Totally unrelated to nginx, and the same information
could be gathered on any open service / port.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Regards,

K S Praveen Kumar
M: +91-9986855625


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How to hide kernel information

lists@lazygranch.com
In reply to this post by Josef Vybíhal
Not to get too far off topic, but unless your server is important (government, financial, etc.), it is most likely the hacks it will receive are just "sprayed." They don't care what rev of OS you are running. 

The hacker tries a number of exploits on IP space known to host servers. Who you are is irrelevant. Just look at your Nginx logs, especially response 400 "bad request". I get Windows RDP attempts all the time even though I don't use windows or RDP. I have a number of request checks in an Nginx map to flag for services I don't use. WordPress and other CMS is don't use for example. I return a 444. Once a week I run a script to pull all the 400 and 444 returns, feed the IPs to 

https://www.bulkseotools.com/bulk-ip-to-location.php

If the IPs return to a hosting company, VPS or even CDN, they go to a blocking file for the firewall. I use bgp.he.net to get the entire IP space. You can block by IP in Nginx, but Nginx still parses the request which I assume uses some CPU time. A firewall is more efficient. I include both web and email ports other than 25 in the firewall. 

If you want to get more sophisticated, you can pull the "payload" IPs from the 400 bad requests. That is there are cases where the hack comes from an ISP but the payload is from  hosting site or VPS. 

I also have an Nginx map of bad user agents and flag them with the 444. Yes I know about fail2ban. However my scheme permanently blocks the IP space of these hosting companies. These hackers change IPs all the time but stick with the same hosting service. OVH for example. 

A once a week check on the logs will yield two or three IPs that come back to hosting companies but this is because I am blocking so much IP space. Note servers have no eyeballs. 

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx