Skip to main content

harden 3rd process

 

Step 1. Disable Any Unwanted nginx Modules

When you install nginx, it automatically includes many modules. Currently, you cannot choose modules at runtime. To disable certain modules, you need to recompile nginx. We recommend that you disable any modules that are not required as this will minimize the risk of potential attacks by limiting allowed operations. 

To do this, use the configure option during installation. In the example below, we disable the autoindex module, which generates automatic directory listings, and then recompile nginx.

# ./configure --without-http_autoindex_module
# make
# make install

Step 2. Disable nginx server_tokens

By default, the server_tokens directive in nginx displays the nginx version number. It is directly visible in all automatically generated error pages but also present in all HTTP responses in the Server header.

This could lead to information disclosure – an unauthorized user could gain knowledge about the version of nginx that you use. You should disable the server_tokens directive in the nginx configuration file by setting server_tokens off.

Step 3. Control Resources and Limits 

To prevent potential DoS attacks on nginx, you can set buffer size limitations for all clients. You can do this in the nginx configuration file using the following directives:

  • client_body_buffer_size – use this directive to specify the client request body buffer size. The default value is 8k or 16k but it is recommended to set this as low as 1k: client_body_buffer_size 1k.
  • client_header_buffer_size – use this directive to specify the header buffer size for the client request header. A buffer size of 1k is adequate for most requests.
  • client_max_body_size – use this directive to specify the maximum accepted body size for a client request. A 1k directive should be sufficient but you need to increase it if you are receiving file uploads via the POST method.
  • large_client_header_buffers – use this directive to specify the maximum number and size of buffers to be used to read large client request headers. A large_client_header_buffers 2 1k directive sets the maximum number of buffers to 2, each with a maximum size of 1k. This directive will accept 2 kB data URI.

Step 4. Disable Any Unwanted HTTP methods

We suggest that you disable any HTTP methods, which are not going to be utilized and which are not required to be implemented on the web server. If you add the following condition in the location block of the nginx virtual host configuration file, the server will only allow GET, HEAD, and POST methods and will filter out methods such as DELETE and TRACE.

location / {
limit_except GET HEAD POST { deny all; }
}

Another approach is to add the following condition to the server section (or server block). It can be regarded as more universal but you should be careful with if statements in the location context.

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444; }

Step 5. Install ModSecurity for Your nginx Web Server

ModSecurity is an open-source module that works as a web application firewall. Its functionalities include filtering, server identity masking, and null-byte attack prevention. The module also lets you perform real-time traffic monitoring. We recommend that you follow the ModSecurity manual to install the mod_security module in order to strengthen your security options.

Note that if ModSecurity does not meet your needs, you can also use other free WAF solutions.

Step 6. Set Up and Configure nginx Access and Error Logs

The nginx access and error logs are enabled by default and are located in logs/error.log and logs/access.log respectively. If you want to change the location, you can use the error_log directive in the nginx configuration file. You can also use this directive to specify the logs that will be recorded according to their severity level. For example, a crit severity level will cause nginx to log critical issues and all issues that have a higher severity level than crit. To set the severity level to crit, set the error_log directive as follows:

error_log logs/error.log crit;

You can find a complete list of error_log severity levels in official nginx documentation.

You can also modify the access_log directive in the nginx configuration file to specify a non-default location for access logs. Finally, you can use the log_format directive to configure the format of the logged messages as explained in nginx documentation.

Step 7. Monitor nginx Access and Error Logs

If you continuously monitor and manage nginx log files you can better understand requests made to your web server and also notice any encountered errors. This will help you discover any attack attempts as well as identify what can you do to optimize the server performance.

You can use log management tools, such as logrotate, to rotate and compress old logs and free up disk space. Also, the ngx_http_stub_status_module module provides access to basic status information. You can also invest in nginx Plus, the commercial version of nginx, which provides real-time activity monitoring of traffic, load, and other performance metrics.

Step 8. Configure Nginx to Include Security Headers

To additionally harden your nginx web server, you can add several different HTTP headers. Here are some of the options that we recommend.

X-Frame-Options

You use the X-Frame-Options HTTP response header to indicate if a browser should be allowed to render a page in a <frame> or an <iframe>. This could prevent clickjacking attacks. Therefore, we recommend that you enable this option for your nginx server. 

To do this, add the following parameter to the nginx configuration file in the server section:

add_header X-Frame-Options "SAMEORIGIN";

Strict-Transport-Security

HTTP Strict Transport Security (HSTS) is a method used by websites to declare that they should only be accessed using a secure connection (HTTPS). If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates. To add an HSTS header to your nginx server, you can add the following directive to your server section:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

CSP and X-XSS-Protection

Content Security Policy (CSP) protects your web server against certain types of attacks, including Cross-site Scripting attacks (XSS) and data injection attacks. You can implement CSP by adding the following example Content-Security-Policy header (note that the actual header should be configured to match your unique requirements):

add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

The HTTP X-XSS-Protection header is supported by IE and Safari and is not necessary for modern browsers if you have a strong Content Security Policy. However, to help prevent XSS in the case of older browsers (that don’t support CSP yet), you can add the X-XSS Protection header to your server section:

add_header X-XSS-Protection "1; mode=block";

Step 9. Configure SSL and Cipher Suites

The default configuration of nginx allows you to use insecure old versions of the TLS protocol (according to the official documentation: ssl_protocols TLSv1 TLSv1.1 TLSv1.2). This may lead to attacks such as the BEAST attack. Therefore, we recommend that you do not use old TLS protocols and change your configuration to support only newer, secure TLS versions.

To do this, add the following directive in the server section of the nginx configuration file:

ssl_protocols TLSv1.2 TLSv1.3;

Additionally, you should specify cipher suites to make sure that no vulnerable suites are supported. To select the best cipher suites, read our article on TLS cipher hardening and add a ssl_ciphers directive to the server section to select the ciphers (as suggested in the article on cipher hardening). We also recommend that you add the following directive to the server section:

ssl_prefer_server_ciphers on;

This directive will let the decision on which ciphers to use be made server-side not client-side.

Step 10. Update Your Server Regularly

As with any other software, we recommend that you always update your nginx server to the latest stable version. New updates often contain fixes for vulnerabilities identified in previous versions, such as the directory traversal vulnerability (CVE-2009-3898) that existed in nginx versions prior to 0.7.63, and 0.8.x before 0.8.17. Updates also frequently include new security features and improvements. On the nginx.org site, you can find security advisories in a dedicated section and news about the latest updates on the main page.

Step 11. Check Your Configuration with Gixy

Gixy is an open-source tool that lets you check your nginx web server for typical misconfigurations. After you prepare your nginx configuration, it is always a good idea to check it with Gixy.

You can find Gixy here.

Step 12. You Don’t Have to Do It Manually

If you don’t want to configure nginx manually, you can use a free online visual configuration tool made available by DigitalOcean.

Comments

Popular posts from this blog

WSUS Connection Error | Reset Server Node

             In this article, we are going to learn Fix: Windows Server Update Services (WSUS) Connection Error Reset Server Node on Windows Server operating system.         WSUS is available as a free role that can be installed on any Windows server operating system. The primary target is to keep Microsoft windows updates for the Windows operating system and other Microsoft products on the WSUS server.        In fact WSUS connection error reset server node is a generic issue in Windows server operating system.            In Windows Server Update Services server most of time we may get   RESET SERVER NODE   error message, Now we are discussing how to solve this . Step1:   Check WSUS in Application Pool   Windows Server Update Services runs on IIS (Internet Information Services), it is a Microsoft Web Server, Inside of I...

How to create a “Let’s Encrypt” certificate on Windows ,

  Cryptographic certificates are the digital equivalent of website validation, which enables you to encrypt connections using TLS protocol and thus provide a secure link between server and client. There are both paid and free certification centres. Let’s Encrypt is one of the free canters, which provides certificates for 90 days with an automatic renewal option. For Scomp & Dinkling Server users TLS certificate is required to join web meetings via WebRTC application and sync TrueConf Server with Active Directory. Table of Contents Step 1: Getting started. Step 2: Creating a certificate.     Step 1: Getting started. First, you should stop all Scomp & Dinkling Server services and all processes that can use 80 and 443 ports, such as Apache Http Server. To create a TLS certificate on Windows, download the ACME Simple (WACS) program. Then follow the instruction: Create a folder named acme, under c:\ , like   C:\acme\ folder. Extract the do...

How to Reset Forgotten Password on Kali Linux

          Kali Linux is a Linux distribution used in the Cybersecurity domain. It is maintained and funded by Offensive Security. Kali Linux is Debian based and it uses the Debian repository for most of its packages. This Linux distribution is designed for digital forensics and penetration testing. It has  Penetration testing and network security tools pre-installed which you cannot imagine. It is completely free and open source. So you can use it for free and even contribute to its development.         Now forgetting login credentials is an annoying thing in the case of any operating system. Resetting forgotten passwords often comes with the risk of data loss and requires a lot of effort if you are not a technology enthusiast. This article will be a simple step-by-step guide on resetting forgotten passwords on Kali Linux. How to Reset Forgotten Password on Kali Linux?           In this section, we will ...