How to remediate – Nginx Default Index Page

1. Introduction

The Nginx Default Index Page vulnerability means a standard welcome page is accessible on web servers running Nginx. This can reveal information about the server installation, potentially aiding attackers in reconnaissance. It affects any system with an exposed Nginx web server that hasn’t been configured to serve custom content. A successful exploit could lead to information disclosure impacting confidentiality.

2. Technical Explanation

The vulnerability occurs because Nginx is often installed with default configuration files which include a basic index page. This page provides details about the Nginx version and operating system, assisting attackers in identifying potential exploits. An attacker can simply browse to the web server’s root directory to view this information. The vulnerability exists on any Nginx installation using the default configuration.

• Exploit mechanism: An attacker sends an HTTP request to the server’s root path (/).
• Scope: All Nginx web servers with default configurations are affected.

3. Detection and Assessment

You can confirm this vulnerability by checking if the default index page is accessible through a web browser or command-line tool. A thorough method involves scanning for specific file signatures.

• Quick checks: Accessing the server’s root directory in a web browser (e.g., http://yourserver/).
• Scanning: Nessus plugin ID 10428 can detect this issue. OpenVAS also has relevant scans.
• Logs and evidence: Web server access logs may show requests for ‘index.html’ or similar default files.

curl -I http://yourserver/

4. Solution / Remediation Steps

The following steps will remove the default index page and disable server tokens to prevent information leakage. These are small, testable actions with a clear rollback path.

4.1 Preparation

• Ensure you have access to edit the Nginx configuration files (usually located in /etc/nginx/). A rollback plan involves restoring the backed-up config files.
• Changes should be made during a maintenance window if possible, with approval from relevant IT teams.

4.2 Implementation

1. Step 1: Edit the main Nginx configuration file (usually /etc/nginx/nginx.conf).
2. Step 2: Locate the `server_tokens` directive and set it to “off”.
3. Step 3: Remove or rename the default index files (e.g., index.html, index.htm) from the web root directory (usually /usr/share/nginx/html/).
4. Step 4: Restart the Nginx service to apply the changes (sudo systemctl restart nginx).

4.3 Config or Code Example

Before

server_tokens on;
location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
}

After

server_tokens off;
location / {
    root   /usr/share/nginx/html;
    # Remove or rename index files
}

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege reduces the impact if an attacker gains information, and secure defaults minimise initial exposure.

• Practice 1: Implement least privilege principles for all server accounts and processes.
• Practice 2: Use safe default configurations whenever possible, avoiding unnecessary exposed services or files.

4.5 Automation (Optional)

#!/bin/bash
# This script assumes sudo access is configured for the user running it.
sudo sed -i 's/server_tokens on;/server_tokens off;/' /etc/nginx/nginx.conf
sudo rm /usr/share/nginx/html/index.html 2>/dev/null #Remove default index page, ignore errors if file does not exist
sudo systemctl restart nginx
echo "Nginx server tokens disabled and default index page removed."

5. Verification / Validation

Confirm the fix by checking that the default index page is no longer accessible and that server tokens are disabled in HTTP headers. A smoke test should verify basic web service functionality.

• Post-fix check: Accessing http://yourserver/ should return a 403 Forbidden error or a custom error page.
• Re-test: Re-run the curl command from step 3 to confirm no default index page is served.
• Smoke test: Verify that other web pages are still accessible and functioning correctly.
• Monitoring: Monitor access logs for unexpected requests to / or attempts to list directory contents.

curl -I http://yourserver/

6. Preventive Measures and Monitoring

Regular security baselines, pipeline checks, and a robust patch process can prevent this vulnerability. For example, update your CIS benchmark or GPO settings to enforce secure Nginx configurations.

• Baselines: Regularly review and update security baselines for all servers, including Nginx configuration standards.
• Asset and patch process: Implement a regular patch cycle for all software, including Nginx, and review configuration changes.

7. Risks, Side Effects, and Roll Back

Removing the default index page may break existing applications relying on it. Incorrectly configuring Nginx can cause service outages. The rollback steps involve restoring the backed-up config files.

• Risk or side effect 2: Service outage due to incorrect Nginx configuration. Mitigation: Carefully review all changes and have a rollback plan ready.
• Roll back: Restore the backed-up Nginx configuration files (sudo cp /path/to/backup/nginx.conf /etc/nginx/nginx.conf) and restart the service (sudo systemctl restart nginx).

8. References and Resources

• Vendor advisory or bulletin: https://www.owasp.org/index.php/SCG_WS_nginx
• NVD or CVE entry: No specific CVE is associated with this general configuration issue.
• Product or platform documentation relevant to the fix: https://docs.nginx.com/nginx/admin-guide/web-server-setup/