Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


how to find out version of nginx/postfix/dovecot without access to the server?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

how to find out version of nginx/postfix/dovecot without access to the server?

4n0nx4n0nx Member

Hi,

I would like to find out the version of nginx/postfix/dovecot without having access to the server. Is that possible?

Thanks

Comments

  • ATHKATHK Member

    http://www.cyberciti.biz/faq/find-out-remote-webserver-name/

    Might not work for everything you've asked, but its a start

    Thanked by 14n0nx
  • 4n0nx4n0nx Member

    ATHK said: Might not work for everything you've asked, but its a start

    Thanks, but I'd like to know the version. Only says nginx :(

  • NyrNyr Community Contributor, Veteran

    Then someone modified the headers to hide it, because nginx shows this by default. Why do you want to know?

    Thanked by 14n0nx
  • 4n0nx4n0nx Member

    Nyr said: Then someone modified the headers to hide it, because nginx shows this by default. Why do you want to know?

    It doesn't show on any server I check (including my own) O.o

    Just curious. :) I love your avatar

    Thanked by 1Nyr
  • NyrNyr Community Contributor, Veteran

    4n0nx said: It doesn't show on any server I check (including my own) O.o

    It does on the official packages for my distro, so I supposed it was the default. There are other ways to guess the webserver, like directory listings or error pages, among more advanced probes. Guessing the exact version can be more difficult.

    Thanked by 14n0nx
  • 4n0nx said: It doesn't show on any server I check (including my own) O.o

    Because any responsible Sysadmin will enable server_tokens off;. Unless you're trying to find an exploit, there shouldn't be a need to find the version number.

    Thanked by 14n0nx
  • rokokrokok Member
    edited May 2015

    nginx header version? i dont think thats possible if the server token turn off or use nginx header more to hide/manipulate. There is good chrome extension to check server details https://chrome.google.com/webstore/detail/server-details/bdjdcpoklgpglobffdadmmjcgbknmkfh?hl=en

  • NyrNyr Community Contributor, Veteran

    telephone said:

    Because any responsible Sysadmin will enable server_tokens off;.

    I consider myself a responsible sysadmin and nearly never bother to do it nor change the default SSH port and this kind of security by obscurity things.

    Thanked by 14n0nx
  • rm_rm_ IPv6 Advocate, Veteran
    edited May 2015

    Nyr said: never bother to do it

    Never bothered either, but did just now, because why not. Was just one line in a config file:
    http://www.ducea.com/2009/02/08/lighty-tips-tricks-hide-lighttpd-software-version/

    Thanked by 2telephone 4n0nx
  • Nyr said: I consider myself a responsible sysadmin and nearly never bother to do it nor change the default SSH port and this kind of security by obscurity things.

    While hiding the version doesn't mean script kiddies will gloss over your server if a 0day exploit is released, it does (even if it's only by 1%) increase the chances they'll move on.

    The same can be said with changing the default SSH port, along with disabling passwords. While it won't stop someone from searching open ports, the number of attempted logins will significantly decrease as the majority of scripts are only tuned for port 22.

    Thanked by 14n0nx
  • 4n0nx4n0nx Member

    Ok it looks like that isn't so easy to do. I thought it was since shodan scans my server frequently. If it doesn't check the version of my software, then what does it do?

Sign In or Register to comment.