如何防止 nmap 对 HAProxy 进行指纹识别

tag-icon tag-icon security haproxy nmap port-scanning
如何防止 nmap 对 HAProxy 进行指纹识别

在我们定期进行的安全扫描中,我们的 HAProxy 实例始终被报告为版本泄露漏洞。进一步检查后发现,任何响应中都没有版本标语,而 nmap 负责根据某种指纹检测 HAProxy。

我们的 HAProxy 实例将自动将 HTTP 重定向到 HTTPS,同时将 SSL 流量代理到不同的后端系统。版本披露仅在 HTTP (80) 端口上报告,而不在 HTTPS (443) 端口上报告

以下是一个 nmap 输出示例,说明了此问题:

$ nmap -sV --script=http-headers example.com

PORT    STATE SERVICE    VERSION
80/tcp  open  http-proxy HAProxy http proxy 1.3.1 or later
| http-headers:
|   Content-length: 0
|   Location: https://example.com/
|   Connection: close
|
|_  (Request type: GET)
443/tcp open  ssl/http   nginx
| http-headers:
|   Server: nginx
|   Content-Type: application/json
|   Transfer-Encoding: chunked
|   Connection: close
|   Cache-Control: no-cache
|   Date: Thu, 06 Sep 2018 14:46:47 GMT
|   X-Frame-Options: SAMEORIGIN
|   X-Xss-Protection: 1; mode=block
|   X-Content-Type-Options: nosniff
|   Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
|   Strict-Transport-Security: max-age=16000000; includeSubDomains; preload;
|   X-Forwarded-Proto: https
|
|_  (Request type: GET)
|_http-server-header: nginx
Service Info: Device: load balancer

由于没有横幅/标头显示 HAProxy 的存在,nmap 如何准确识别 HAProxy 的指纹?我推测 nmap 会查看特定的 301 有效负载或 HAProxy 独有的某些 TCP 指纹。

最终的问题是,我如何首先阻止 nmap 检测 HAProxy?

答案1

Nmap 根据哪些版本向响应添加了哪些标头来识别 HAProxy。匹配行位于nmap-service-probesNmap 源文件中。以下是从文件中选取的一些注释,用于说明如何实现此操作:


# HAProxy responses are mostly from http_err_msgs, HTTP_401_fmt, and HTTP_407_fmt in
# http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c
# Only statuses 200, 403, and 503 are likely to result from from GetRequest;
# other probes can match via fallbacks.
match http-proxy m|^HTTP/1\.0 200 OK\r\nCache-Control: no-cache\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<html><body><h1>200 OK</h1>\nHAProxy: service ready\.\n</body></html>\n$| p/HAProxy http proxy/ v/before 1.5.0/ d/load balancer/ cpe:/a:haproxy:haproxy/


# Statuses 400, 401, 403, 408, 500, 502, 503, and 504 gained "Content-Type: text/html" in v1.3.1.
# http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=791d66d3634dde12339d4294aff55a1aed7518e3;hp=b9e98b683612b29ef939c10d3d00be27de26534a
match http-proxy m|^HTTP/1\.0 400 Bad request\r\nCache-Control: no-cache\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<html><body><h1>400 Bad request</h1>\nYour browser sent an invalid request\.\n</body></html>\n$| p/HAProxy http proxy/ v/1.3.1 or later/ d/load balancer/ cpe:/a:haproxy:haproxy/


# Statuses 400, 401, 403, 408, 500, 502, 503, and 504 gained "Content-Type: text/html" in v1.3.1.
# http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=791d66d3634dde12339d4294aff55a1aed7518e3;hp=b9e98b683612b29ef939c10d3d00be27de26534a
match http-proxy m|^HTTP/1\.0 400 Bad request\r\nCache-Control: no-cache\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<html><body><h1>400 Bad request</h1>\nYour browser sent an invalid request\.\n</body></html>\n$| p/HAProxy http proxy/ v/1.3.1 or later/ d/load balancer/ cpe:/a:haproxy:haproxy/

如果不采用某种反向代理,您无法真正防止这种情况发生,而且即使采用反向代理,也极有可能被指纹识别。找到一种方法将其记录为误报或可接受的风险:没有办法避免这种事情,因为它是不可配置的。

相关内容