Project

General

Profile

Bug #23684

Disable Nginx server tokens

Added by Martin Herrman over 1 year ago. Updated 11 months ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
William Grzybowski
Category:
OS
Target version:
Seen in:
Sprint:
Severity:
New
Backlog Priority:
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Nginx reveals sensitive information that a possible attacker could use:

telnet <my-freenas-ip> 80
Trying <my-freenas-ip>...
Connected to <my-freenas-ip>.
Escape character is '^]'.
GET index.html
HTTP/1.1 400 Bad Request
Server: nginx/1.10.1
Date: Sun, 30 Apr 2017 13:22:10 GMT
Content-Type: text/html
Content-Length: 173
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.10.1</center>
</body>
</html>
Connection closed by foreign host.

Both the header and the html content show that Nginx is used and contain the version number.

Associated revisions

Revision 80db7745 (diff)
Added by William Grzybowski over 1 year ago

fix(rc.d): disable server tokens

Ticket: #23684

History

#1 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Assignee changed from Alexander Motin to William Grzybowski
  • Target version set to 11.1

#2 Updated by Anthony Takata over 1 year ago

Do people normally expose the system console to the Internet though? That seems like a much bigger problem from the get-go.
Asking for a friend, he seems to believe normally people would install their own web hosting software instead of trying to hijack the FreeNAS internal system...

#3 Updated by Martin Herrman over 1 year ago

Anthony Takata wrote:

Do people normally expose the system console to the Internet though? That seems like a much bigger problem from the get-go.
Asking for a friend, he seems to believe normally people would install their own web hosting software instead of trying to hijack the FreeNAS internal system...

I hope no-one exposes the webinterface directly to the internet :-)

Not exposing sensitive data like version numbers is much more a best practice that should be applied. My first hit on google:

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-on-ubuntu-14-04

In a proper setup the FreeNAS webinterface is only available to sysadmins, preferably via a management VLAN. But in practice many organisations will not have this setup and the interface might even be (often unexpectedly) available to guests. Besides that, if an attacker succeeds to get into a protected VLAN, life should not become easier for him to get into the FreeNAS box.

#4 Updated by William Grzybowski over 1 year ago

  • Status changed from Unscreened to Screened
  • Priority changed from No priority to Nice to have

#5 Updated by William Grzybowski over 1 year ago

  • Status changed from Screened to Resolved

#6 Updated by Dru Lavigne about 1 year ago

  • Subject changed from Nginx reveals sensitive information to Disable Nginx server tokens

#7 Updated by Dru Lavigne about 1 year ago

  • Target version changed from 11.1 to 11.1-BETA1

#8 Updated by Nick Wolff 11 months ago

  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Not Tested)

#9 Updated by Joe Maloney 11 months ago

  • Needs QA changed from Yes to No

Also available in: Atom PDF