Top 10 tips to improve nginx server security

inorder to implement security rules, first we know the types attacks & vulnerabilities of server, or linux kernel.

most common attacks are

#1 brute force attacks ddos (to take down the server)

#2 SQL injection (to gain access to database to steal valuable info like customer credit card details)

#3XSS cross site injection

sending post requests from their severs, to our database.

#4 application level vulnerabilities, kernel level etc.

Table of Contents

rate limiting

we can configure it in nginx.conf

blocking certain ip address , once it reaches the maximum request per second.

this way we can avoid brute force attacks

disable unwanted modules /install with required modules

so we limit operation

less exposure

# ./configure –without-http_autoindex_module

# make

# make install

Disable nginx server_tokens

server_tokens off

in nginx.conf

avoid large buffer size

large_client_header_buffers

client_max_body_size

client_header_buffer_size

client_body_buffer_size

disable unwanted methods

location /

{limit_except GET HEAD POST { deny all; }}

unwanted methods like delete trace blocks by nginx.

install mod security or other waf solutions

setup critical access loge for convienent

error_log logs/error.log crit;

Monitor nginx with status module /New relic / datadog

nginx statut module free but you need recompile the nginx.

or follow the approache how to use nginx dynamic modules

New relic & data dog server & application monitoring services at entrepreneur level.

also try netdata.

my recommendation is newrelic, you can also track on android app.

#add security headers

disable iframes on other websites

add_header X-Frame-Options “SAMEORIGIN”;

Strict-Transport-Security only https

add_header Strict-Transport-Security “max-age=31536000; includeSubdomains; preload”;

CSP and X-XSS-Protection headers

CSP

content security policy, xss crosite scripting attacks,

you must understand the policies must before yding this.

add_header Content-Security-Policy “default-src ‘self’ http: https: data: blob: ‘unsafe-inline'” always;

Xss

getting data from your server database by post requests .

add_header X-XSS-Protection “1; mode=block”;

Confogure latest ssl vesions & ciphersuites

ssl 3 or tls 1 version old its easy to hckable.

tsl 1.2 also some vulnarebilies

tls 1.3 new but almost all browser supports now as on 2020

ssl_protocols TLSv1.2 TLSv1.3

ciphersuites Based on server not from user

ssl_prefer_server_ciphers on;

update nginx upto date

to know what’s they fixed, added new features.

always do

apt-update

upgrable command

thrn check details on their website nginx.org

to check nginx security

Install gixy

pip install gixy

&run

gixy

it checks

/etc/nginx/nginx.conf

iptables /ufw /firewall d also helps to strengthen the security.

https://github.com/yandex/gixy

https://www.digitalocean.com/community/tools/nginx?domains.1.server.domain=example2.com