Blocking nginx from nmap version detection

If you want to protect your web server from attacks and scans like the one made by nmap, I would recommend you to follow this nginx hardening guide.

This guide contains the following security measures:

  • Disable Any Unwanted nginx Modules
  • Disable nginx server_tokens
  • Control Resources and Limits
  • Disable Any Unwanted HTTP methods
  • Install ModSecurity for Your nginx Web Server
  • Set Up and Configure nginx Access and Error Logs
  • Monitor nginx Access and Error Logs
  • Configure Nginx to Include Security Headers
  • Configure SSL and Cipher Suites
  • Update Your Server Regularly
  • Check Your Configuration with Gixy
  • You Don’t Have to Do It Manually (Automate)

With ModSecurity and Fail2Ban you can block Malicious User-Agents, pretty similar to what you mentioned above, here is a quick guide on how to do it. This may be a better option than manually doing the process.

Additionally, what you really want to do from what I read on your question is to hide the Banner displayed by nginx, this prevents Banner Grabbing attacks and identification of technologies used in your server.

You can reduce the amount of information showed by nginx by adding the following line to your nginx.conf file:

server_tokens off;

Then, restart your service. With this change you will configure nginx to not send any version numbers in the HTTP header.

nginx banner

You can also remove the server name or replace it with any string you want. However, since nginx modules cannot be dynamically loaded (according to Acunetix), you need to recompile nginx from source with the HttpHeadersMoreModule nginx module.

Here is a link in the Nginx forums where this topic was already discussed and it indicates the exact changes that you have to do in the nginx source code to hide the banner.

If you want to remove the name of the server completely you need to alter the source code prior to compiling.

Edit /path/to/nginx-0.*/src/http/ngx_http_header_filter_module.c lines 48 and 49:

static char ngx_http_server_string() = "Server: nginx" CRLF;
static char ngx_http_server_full_string() = "Server: " NGINX_VER CRLF;

Replace with any string you like, you can even put something like Apache in order to deceit attackers.

If you want to edit NGINX_VER, it is defined, along with some other relevant constants, in /path/to/nginx-0.*/src/core/nginx.h, lines 11-13.

Finally, as a workaround that I found, you can do the following to change the banner without requiring to compile nginx from source code:

  1. Install nginx-extras:

    sudo apt install -y nginx-extras
    
  2. Edit your nginx.conf file, usually located in /etc/nginx/nginx.conf and add the following 2 lines:

    more_clear_headers Server;
    more_set_headers 'Server: Nothing';
    

    Please note that you can put any string you like, in my case this is my configuration file to simulate a Google Web Server banner:

    galoget@hackem:~$ cat /etc/nginx/nginx.conf
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    include /etc/nginx/modules-enabled/*.conf;
    
    events {
       worker_connections 768;
       # multi_accept on;
    }
    
    http {
    
       ##
       # Basic Settings
       ##
    
       sendfile on;
       tcp_nopush on;
       tcp_nodelay on;
       keepalive_timeout 65;
       types_hash_max_size 2048;
       server_tokens off;
    
       include /etc/nginx/mime.types;
       default_type application/octet-stream;
    
       ##
       # SSL Settings
       ##
    
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref:    POODLE
       ssl_prefer_server_ciphers on;
    
       ##
       # Logging Settings
       ##
    
       access_log /var/log/nginx/access.log;
       error_log /var/log/nginx/error.log;
    
       ##
       # Gzip Settings
       ##
    
       gzip on;
    
       ##
       # Virtual Host Configs
       ##
    
       include /etc/nginx/conf.d/*.conf;
       include /etc/nginx/sites-enabled/*;
    
       ##
       # Custom Banner Message - Set to show GWS (Google Web Server)
       ##
    
       more_clear_headers Server;
       more_set_headers 'Server: gws';
    }
    
  3. Check the syntax of your configuration file to see if everything is OK:

    sudo nginx -t
    
  4. Reload or restart your nginx service:

    sudo systemctl reload nginx
    

I just tested these steps and are working perfectly, please see the screenshots below:

Before doing the previous steps:

In this image I include the server headers with server_tokens off; added to the config file, so no specific version of nginx is shown:

default nginx banner

After doing the previous steps:

custom nginx banner

Additional References:

Hope you find this complete guide useful.

multithreading – C++ producer-consumer using blocking buffer

I’m working on a programming exercise (university, nothing related to industry) which basically asks to implement a Buffer to be used by two threads (a producer and a consumer). The first one enqueues data calling next(T t), while the other gets the oldest value (in a FIFO mechanism) calling consume() or waits if the buffer is empty. The producer can send a stop signal to declare the enqueuing ended. The text also requires a fail() method in case anything goes wrong, but I’d like to ignore it for this question.
This is my solution

template <typename T>
class Buffer {
    std::mutex m;
    std::condition_variable cv;
    std::queue<T> values;
    bool stop, failed;
    std::exception_ptr _eptr;

public:
    Buffer() : stop(false), failed(false) {}

    void fail (const std::exception_ptr &eptr){
        { 
          std::unique_lock ul{m};
          failed = true;
          _eptr = eptr;
        }
        cv.notify_all();
    }

    void terminate(){
        {
          std::unique_lock ul {m};
          if (stop || failed ) throw std::runtime_error("enqueing has stopped");
          stop = true;
        }
        cv.notify_one(); // notify stop signal
    }

    void next(T t) {
        {
        std::unique_lock ul{m};
        if ( stop || failed ) throw std::runtime_error ("enqueing has stopped");
        values.push(t);
        }
        cv.notify_one(); // notify the consumer (if waiting)
    }

    std::optional<T> consume(){
        std::unique_lock ul{m};
        cv.wait(ul, (this)() { return !values.empty() || stop || failed; });
        if (values.empty()) { // if got notified and the queue is empty, then stop or failed have been sent
            if (stop)
                return std::nullopt;
            else
                std::rethrow_exception(_eptr);
        }
        // extract the value to consume
        T val = values.front();
        values.pop();
        return std::optional<T>(val);
    }
};

This is how I think the Buffer might be used (I’m still ignoring the fail() method)

#define N 10000

  Buffer<int> buf;

    std::thread prod((&buf)(){
        for(int i = 0 ; i < N; ++i) {
            std::cout << "enqueing: " << i << std::endl;
            buf.next(i);
        }

        buf.terminate();
    });

    std::thread cons((&buf)(){
        for(int i = 0; i < N; ++i)
            std::cout << "consuming: " << buf.consume().value() << std::endl;
    });

    prod.join();
    cons.join();

I got some questions:

  • do you agree this is nothing but a blocking queue or am I missing something ?

  • do I need to implement the destructor ? If it is the case, can you please show me an example of usage that requires having it?

  • What happens if the object goes out of scope and nobody called terminate() ? Should I take care of this problem ? Is it anyway a Buffer ‘s problem or the programmer using this class should care about it ? Can you please show me an example when this happens (I was thinking about the threads being detached instead of joined, does it fit ?) ?

How to get Firefox ad blocking performance from Safari?

How to get Firefox ad blocking performance from Safari? – Ask Different

networking – In the STP root bridge election process, how do switches advertise themselves as the root bridge if all of the ports start in the blocking state?

In the STP root bridge election process, all of the switches advertise themselves as the root bridge until they receive a superior BPDU.
Every source about STP says that after initialisation all of the ports start in the Blocking state. If the ports are in blocking state, which means they cant forward any frames, how can the switches forward their bridge id in order for the root bridge election process to happen?

bootcamp – No TP 2.0 Exposed My Bookcamp System: Blocking Windows 11 Upgrade

Damn secure enclave you can’t emulate this $60 add-on chip, for PowerEder models.

So in other words Widows 10 version next will-continue to get updates? Or did at that stop when this stupid incorrect came. It’s ny number but JUST CALL IT WINDOWS.

In short, no more boot camping bleeding that sucker batterie an AMD old non-integrate sucking heatswap it 80% charge, were is shall stay, until OEL I get intel anomaly

Sorry bilnd people

amazon web services – AWS network-acl blocking nginx dns resolution

I’m trying to lock down ports on my subnets, and am having a problem with an nginx instance that I’m running on ECS.

Traffic comes into the system on :443 to an ELB, which routes some of it to an nginx instance running on ECS, which proxy_pass-es it on to an external www address.

The nginx is set to proxy_pass to a domain name, and it’s using an nginx resolver configuration: resolver 8.8.8.8 ipv6=off valid=10s to resolve that to an IP address. The IP is not static, so I have to do this.

However, when I apply my network acl, everything works except for this dns resolution. The nginx returns Bad Gateway responses complaining that my domain could not be resolved (110: Operation timed out).

The network acl is setup to allow all outbound traffic for all protocols, but limits inbound traffic to a specific set of ports.

I’ve tried adding 53 (UDP and TCP) into the inbound rules, but resolution still fails.

It’s important to note that if I allow all inbound traffic then the dns resolution works.

My question is either:

  1. What do I need to do to get the nginx resolver working when my network acl is applied?
  2. I know that every VPC comes with a DNS server so as to route AWS DNS names to VMs. Could I use that as my resolver instead?

privacy – Is wiping cookies, blocking trackers and not logging in sufficient to prevent profiling?

I use Firefox as my browser. My privacy settings are strict. I block

  • All third-party cookies, and always delete all cookies when Firefox is closed.
  • Tracking content (in all windows);
  • Cryptominers; and
  • Fingerprinters.

I never log in to sites such as Google, Facebook and such (I don’t even have an account) and never click advertisements (I block them with Ublock Origin).

As far as I know, the only information I am giving away is my device’s IP address. However, that IP address is not unique, it is shared among some thousands of devices that my ISP serves.

Now, I guess that is an overly optimistic reasoning and that I must be missing something, so I ask: Assuming the ISP refuses to collaborate with them, could tracking companies still identify and profile me? How so?

I have read this related question but it does not answer my main question.

DreamProxies - Cheapest USA Elite Private Proxies 100 Cheapest USA Private Proxies Buy 200 Cheap USA Private Proxies 400 Best Private Proxies Cheap 1000 USA Private Proxies 2000 USA Private Proxies 5000 Cheap USA Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive.com Proxies-free.com New Proxy Lists Every Day Proxies123.com Proxyti.com Buy Quality Private Proxies