Eight advice to protect your Nginx

Eight advice to protect your Nginx

[vc_row type=”in_container” full_screen_row_position=”middle” scene_position=”center” text_color=”dark” text_align=”left” overlay_strength=”0.3″][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”2/3″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid”]

1. Keep Nginx up to date

Nginx like all the open source, you can install it from the repositories or downloading the source code and compilation in our machine.

The last option has as advantages over the first being able to activate the additional modules that are not installed by default, or disable other modules that will not be useful, In addition to being able to get the latest version released by developers that is not always the existing one in repositories.

Installation from the console

sudo apt-get install nginx

sudo pacman -S nginx sudo yum install nginx

Download source code

We have a look of this site and choose the pack that you want to download and this we’ll do it through “wget”.

By example “sudo wget http://nginx.org/download/nginx-1.9.12.tar.gz

And then we unzip the package and execute the following commands:

Make
Make install
./configure

 

2. Delete unnecessary modules

As we have seen in the first point, compiling our own installation of Nginx will allow us to activate or deactivate the modules we need more or less, thus personalizing our installation and optimizing it depending on what we need in each case.

./configure –without-modulo01 –without-modulo02
./configure – without-http_dav_module – without-http_spdy_module

3. Disable server_tokens

The server token is responsible for displaying the version of the Nginx installation in the event of an error. Today this information may suggest new routes of attack to our server, so it will be advisable to disable it to avoid unwanted situations.

We will do this by specifying the following directive within the server block in the configuration file.

server_tokens off;

 

4. Disable unwanted HTTP methods

Most webs and web applications usually do not use beyond the GET, POST and HEAD methods, so in our web server, we should deactivate all other HTTP methods avoiding unwanted requests and optimizing data traffic.

To do this we will add the following lines to our server block in the configuration file.

If ($request_method !~ ^(GET|HEAD|POST)$) {
Return 444;
}

A response to HTTP 444 means an empty response to the request for a service other than the specified. To check if it works correctly we will make a request using curl sending a DELETE method and another sending one of the admitted ones.

curl –X DELETE http://nuestradireccionIP/index.html
curl –X POST http://nuestradireccionIP/index.html

 

5. Set Buffer Limits

To avoid attacks using buffer overflow, we must set the following guidelines in a new file that we will place in the following path with the name ‘buffer.conf’.

cd /etc/Nginx/conf.d
nano buffer.conf
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;

Once the file is created, we must include it in the configuration file by adding this line:

include /etc/Nginx/conf.d/*.conf;

 

6. Limit the number of connections per IP

A security measure more than recommended if we appreciate the resources and bandwidth we have. Although something important to remember is that not all the connections that are made to our website will be taken into account, only those whose requests process the server and whose header has been read.

For this, we will use the line with the parameter ‘limit_conn_zone’ (outside the server block of the configuration file) or the one containing ‘limit_conn’ (inside the server block in the configuration file).

limit_conn_zone $binary_remote_addr zone=addr:5m
limit_conn addr 1;

In this case we have established that it won’t be possible to make more than one connection by IP, something exaggerated of course that serves us for this example.

 

7. Redirect HTTP to HTTPS

We will add the following line at the beginning of the configuration server’s server block:

return 301 https://$server_name$request_uri;

Allow only TLS (Disable SSL).

The following configuration can be applied within the ‘server’ block of the configuration file or create a separate file (usually called ‘ssl.conf’) in which to include the parameter.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

With this line we avoid the use of SSL and we will apply only the TLS versions that we want to use.

 

8. Configure Logs

Establishing a way to monitor the events happened in our server is fundamental in case of error or possible attack, to diagnose problems, ip’s of origin, etc …

In Nginx, we will add a line inside the ‘server’ block of the configuration file where we will specify the path to which we will send the records.

error_log /var/www/logs/nginxserver.log error;

With these practices we had created a good improvement on the security of our server. Remember that I’m writing from my poor knowledge, if I skipping something or I made something wrong let me know my the area of contact.

learn, learning, the best security practice, ethical hacking, IT, Admin, Administrator, Server, User, Kali Linux, Phone, Download, Blog, WordPress, Free, Lab, Pentest, Pentester

[/vc_column][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”1/3″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid” offset=”vc_hidden-md vc_hidden-sm vc_hidden-xs”]
[image_with_animation image_url=”6275″ alignment=”center” animation=”Fade In” box_shadow=”none” max_width=”100%” delay=”300″][team_member image_url=”1722″ team_memeber_style=”meta_below” link_element=”none” color=”Accent-Color” name=”Daniel Morales” job_position=”Writer”][/vc_column][/vc_row][vc_row type=”full_width_background” full_screen_row_position=”middle” bg_color=”#f9f9f9″ scene_position=”center” text_color=”dark” text_align=”left” top_padding=”4%” bottom_padding=”3%” overlay_strength=”0.3″][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”1/1″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid”][recent_posts style=”default” category=”all” columns=”3″ title_labels=”true” posts_per_page=”3″][/vc_column][/vc_row]

Share it:

Leave a Reply

Your email address will not be published. Required fields are marked *