(a.k.a: “Stop Flexing Your Kernel Version to Strangers”)
So you’ve hardened SSH, installed UFW, disabled root login, and feel like your server is Fort Knox.
But… what if I told you your server is still leaking information?
Yup — it’s still out there, whispering to the internet:
“Hi, I’m Ubuntu 20.04. Kernel 5.4.0-172. Come hack me maybe?”
Let’s stop that. Right now.
🧐 What’s an OS Fingerprint Anyway?
When someone scans your server (and yes, it’s being scanned — even while you read this), your machine can unintentionally reveal:
- OS version
- Web server version
- Open ports + services
- Kernel details
- and sometimes, your home address. (Okay not really, but you get the point)
This info helps attackers pick the perfect exploit — especially if you’re running an outdated or unpatched system.
So let’s make your server quiet and mysterious like a Linux ninja.
🛡️ Step 1: Hide OS Info from SSH Banner
Try this:
telnet yourserver.com 22
You’ll likely see something like:
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9
That’s a free invitation for attackers. Let’s make it generic.
Edit the SSH config:
sudo nano /etc/ssh/sshd_config
Add or modify:
DebianBanner no
Restart SSH:
sudo systemctl restart ssh
Now it’ll just say:
SSH-2.0-OpenSSH
Much better.
🕶️ Step 2: Remove OS Info from /etc/issue and /etc/motd
These files are displayed on login, and can leak version info.
Clean them out:
sudo > /etc/issue
sudo > /etc/issue.net
sudo > /etc/motd
Prevent auto-regeneration:
Some systems regenerate /etc/motd using update-motd.d. You can disable it:
sudo chmod -x /etc/update-motd.d/*
Or, if you still want a welcome message:
echo "Welcome to the Matrix." | sudo tee /etc/motd
🕵️ Step 3: Hide Kernel Version from Web Servers (Apache/Nginx)
If using Nginx:
Edit config:
sudo nano /etc/nginx/nginx.conf
Set:
server_tokens off;
If using Apache:
sudo nano /etc/apache2/conf-available/security.conf
Set:
ServerTokens Prod
ServerSignature Off
Restart web server:
sudo systemctl restart nginx
# or
sudo systemctl restart apache2
Now your server won’t shout out “Apache 2.4.41 on Ubuntu!” to every browser.
🪖 Step 4: Hide Kernel Version from uname and /proc/version
This one’s a bit more advanced (and optional). Most users can’t see it unless they’ve already compromised your server. But just in case:
Mask it in /proc/version:
sudo sysctl -w kernel.dmesg_restrict=1
Make it permanent:
echo "kernel.dmesg_restrict=1" | sudo tee -a /etc/sysctl.conf
🔍 Step 5: Check Your Fingerprint from Outside
Want to see what your server is exposing?
Try:
nmap -sS -sV yourserver.com
Or use:
These tools show what a stranger can learn about your server in seconds.
✅ Final Checklist
| Leak Type | Fixed? |
|---|---|
| SSH Banner | ✅ |
| MOTD / Issue files | ✅ |
| Web server headers | ✅ |
| Kernel info restricted | ✅ |
| Nmap footprint reduced | ✅ |
👻 Final Thoughts
You wouldn’t walk around with your bank PIN tattooed on your forehead, right?
So don’t let your server broadcast its OS version to the world.
Obscurity isn’t a replacement for security — but it sure buys you time.
Time that might make all the difference.
Stay mysterious, stay secure.
– dethinked
Leave a Comment