如何防止nmap从指纹HAProxy中提取

Question

在我们的定期安全扫描中，我们的HAProxy实例总是被报告为版本泄漏漏洞。在进一步的检查中，似乎在任何响应中都没有版本横幅，并且nmap负责根据某种指纹检测HAProxy。

我们的HAProxy实例将自主地将HTTP重定向到HTTPS，同时将SSL流量代理到不同的后端系统。版本泄露仅在HTTP (80)端口上报告，而不是在HTTPS (443)端口上报告。

下面是一个示例nmap输出，说明了这个问题：

$ nmap -sV --script=http-headers example.com

PORT    STATE SERVICE    VERSION
80/tcp  open  http-proxy HAProxy http proxy 1.3.1 or later
| http-headers:
|   Content-length: 0
|   Location: https://example.com/
|   Connection: close
|
|_  (Request type: GET)
443/tcp open  ssl/http   nginx
| http-headers:
|   Server: nginx
|   Content-Type: application/json
|   Transfer-Encoding: chunked
|   Connection: close
|   Cache-Control: no-cache
|   Date: Thu, 06 Sep 2018 14:46:47 GMT
|   X-Frame-Options: SAMEORIGIN
|   X-Xss-Protection: 1; mode=block
|   X-Content-Type-Options: nosniff
|   Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
|   Strict-Transport-Security: max-age=16000000; includeSubDomains; preload;
|   X-Forwarded-Proto: https
|
|_  (Request type: GET)
|_http-server-header: nginx
Service Info: Device: load balancer

nmap如何准确的指纹HAProxy，因为没有横幅/头显示它的存在？我猜想nmap会查看具体的301有效载荷或一些TCP指纹，这是HAProxy特有的。

最终的问题是，首先，如何防止nmap检测HAProxy？

Answer 1

Nmap根据向响应添加了哪些头的版本来标识HAProxy。匹配线在Nmap源的nmap-service-probes文件中。下面是从文件中选择的一些注释，以说明这是如何实现的：

# HAProxy responses are mostly from http_err_msgs, HTTP_401_fmt, and HTTP_407_fmt in
# http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c
# Only statuses 200, 403, and 503 are likely to result from from GetRequest;
# other probes can match via fallbacks.
match http-proxy m|^HTTP/1\.0 200 OK\r\nCache-Control: no-cache\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n200 OK\nHAProxy: service ready\.\n\n$| p/HAProxy http proxy/ v/before 1.5.0/ d/load balancer/ cpe:/a:haproxy:haproxy/

# Statuses 400, 401, 403, 408, 500, 502, 503, and 504 gained "Content-Type: text/html" in v1.3.1.
# http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=791d66d3634dde12339d4294aff55a1aed7518e3;hp=b9e98b683612b29ef939c10d3d00be27de26534a
match http-proxy m|^HTTP/1\.0 400 Bad request\r\nCache-Control: no-cache\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n400 Bad request\nYour browser sent an invalid request\.\n\n$| p/HAProxy http proxy/ v/1.3.1 or later/ d/load balancer/ cpe:/a:haproxy:haproxy/

# Statuses 400, 401, 403, 408, 500, 502, 503, and 504 gained "Content-Type: text/html" in v1.3.1.
# http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=791d66d3634dde12339d4294aff55a1aed7518e3;hp=b9e98b683612b29ef939c10d3d00be27de26534a
match http-proxy m|^HTTP/1\.0 400 Bad request\r\nCache-Control: no-cache\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n400 Bad request\nYour browser sent an invalid request\.\n\n$| p/HAProxy http proxy/ v/1.3.1 or later/ d/load balancer/ cpe:/a:haproxy:haproxy/

如果不使用某种反向代理，就无法真正防止这种情况发生，即使这样也很可能是可以指纹的。找到一种方法来记录这是一种假阳性或被接受的风险:没有办法避免这类事情，因为它是不可配置的。