How to Completely Obfuscate Server and OS Information from Web Scanners like BuiltWith


2 views

When you run a web server, it naturally broadcasts various identifying information through HTTP headers, error pages, and default configurations. Tools like BuiltWith, Wappalyzer, or even simple curl commands can reveal:

  • Web server software (NGINX/Apache version)
  • Operating system details
  • Programming languages/frameworks
  • SSL certificate information

HTTP Headers

The most obvious leaks come from server headers. Here's how to sanitize them in NGINX:

server {
    # Remove Server header
    more_clear_headers 'Server';
    
    # Optionally set fake headers
    add_header Server "Microsoft-IIS/10.0";
    
    # Remove X-Powered-By if using PHP
    fastcgi_hide_header X-Powered-By;
}

Error Pages

Customize default error pages to remove framework traces:

error_page 404 /custom_404.html;
error_page 500 502 503 504 /custom_50x.html;

SSL/TLS Fingerprinting

Modern scanners can identify servers through TLS handshake patterns. Consider:

  • Using uncommon cipher suites
  • Disabling weak protocols (SSLv3, TLS 1.0)
  • Rotating certificates frequently

ModSecurity Anomaly Scoring

Deploy WAF rules to block scanning tools:

SecRule REQUEST_HEADERS:User-Agent "nikto|wpscan|sqlmap" \
    "id:1000,phase:1,deny,status:403,msg:'Scanner Detected'"

Port Randomization

Run services on non-standard ports behind a reverse proxy:

# sshd_config
Port 22222

# nginx.conf
server {
    listen 8080;
    proxy_pass http://127.0.0.1:80;
}

Test your obscurity measures with:

curl -I yourdomain.com
nmap -sV -T4 yourdomain.com
whatweb yourdomain.com

Remember that complete obscurity is impossible - determined attackers will always find ways to fingerprint systems. The goal is to raise the difficulty level enough to deter casual scanners.

When a web server responds to requests, it typically reveals information through:

  • HTTP headers (Server, X-Powered-By)
  • Error page signatures
  • Default file structures
  • Port service banners

Edit your NGINX configuration file (usually at /etc/nginx/nginx.conf):


http {
    server_tokens off;
    more_set_headers "Server: Custom";
    more_set_headers "X-Powered-By: PHP/7.4.3"; # Misdirection
}

Note: You'll need the headers-more-nginx-module for advanced header manipulation.

For SSH banner modification:


sudo nano /etc/ssh/sshd_config
# Change to:
DebianBanner no

For Apache (if used alongside NGINX):


ServerTokens Prod
ServerSignature Off

Implement reverse proxy obfuscation:


location / {
    proxy_pass http://backend;
    proxy_hide_header Server;
    proxy_hide_header X-Powered-By;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}

Example ModSecurity rules to strip headers:


SecRule RESPONSE_HEADERS:Server "@rx .*" \
    "id:1000,phase:3,t:none,log,pass,ctl:responseHeaders=Server"

Use these commands to verify:


curl -I yourdomain.com | grep Server
nmap -sV -T4 yourdomain.com
whatweb -v yourdomain.com
  • Change default SSH port from 22
  • Disable unnecessary services
  • Implement rate limiting
  • Regularly update packages