How to secure Nginx – A practical guide from the trenches
You can do a hundred things to secure & harden Nginx.
But what do you REALLY need? What are the important steps you need to take?
To answer that question, we’ll need to take a look at what the most common security issues reported in an Nginx server.
Here at Bobcares, our Hosting Support Engineers monitor and maintain hundreds of Nginx servers of our customers (like web hosts, digital marketers, etc.).
In these servers, these are the security issues we’ve seen, sorted according to frequency of occurance:
- Comment spam
- Website infection
- Malware upload & spamming
- Bot upload & outbound attacks
- Mass exploits & Brute force attacks
- Critical vulnerabilities in server software (SSL, Nginx, etc.)
As you can see, you are more likely to face a website defacement or infection than a high-severity server hack.
That is why when we secure the Nginx servers of our customers, we give more importance to systems that prevent website infection.
Without further ado, here are the top 7 steps we take to secure an Nginx server:
1. Block common attacks with a Web Application Firewall
The internet is hit with hundreds of new web application exploits every day.
But all these exploits use common attack methods such as Cross-Site Scripting, Remote File Inclusion, Path Traversal, SQL Injection, etc.
And Web Application Firewalls (WAFs) detect those kind of malicious behavior to block attempts to exploit websites.
We’ve had good results in using open source firewalls such as Mod Security and NAXSI.
However, the important thing to keep in mind is, your firewall is only as good as the rule sets you are using.
Here at Bobcares, we use rulesets from multiple sources such as OWASP, Sane Security and Comodo.
We even write our own custom rules if we feel that none of the rules adequately protect our customer servers against a new threat.
2. Scan and patch vulnerable web applications
As they say, prevention is better than cure.
That is why we proactively patch all web applications in our customer servers as soon as a vulnerability is disclosed.
Our engineers constantly scan all versions of web apps installed in the server, compare it with the latest versions on the net, and apply patches if the version is found to be old.
Now, there are servers in which site owners do not approve of pro-active patching.
In such servers, we setup Docker or LXC based website isolation so that even if one website gets infected, no other user in the server is affected.
3. Setup a strong network firewall
These days, all kinds of server infections are done using automated tools.
And these tools rely on repetitive “brute forcing” methods to try out various exploits or to crack a login screen.
Such patterns can be easily detected by a well configured network firewall.
We custom configure Linux firewalls and setup additional tools such as CSF to make sure all kinds of malicious behavior such as port scanning, brute forcing, etc. are detected and blocked before it is even passed on to the Nginx service.
4. Harden the application server (eg. PHP service)
Many exploits work using the features and capabilities provided by the underlying web application engine.
The most popular application engine in the servers we maintain is PHP.
PHP contains many functions that are not required for a normal web application like Magento or WordPress, but is essential for malware to function.
So, we disable those functions and implement additional security settings to deny execution of malware even if it somehow manages to get into the server.
One such security add-on that we’ve used is Suhosin.
5. Tweak Nginx settings for security
Nginx by default is configured for performance, and not security.
A few common settings we tweak to harden Nginx are:
- Disable all requests except GET, POST and HEAD
- Limit concurrent connections from one IP to 10 to defeat DoS attacks.
- Restrict request size and buffer size to limit Buffer Overflow Attacks
- Disable all Nginx modules that we don’t need to reduce the attack surface area.
- Disable Nginx headers and PHP info to deny attackers information about the server.
- Enable security headers such as “X-XSS-Protection” and “X-Frame-Options” to block common attacks.
We implement additional settings based on the unique nature of the application being hosted in the server, and the architecture in which Nginx runs (eg. as a reverse proxy).
6. Implement strong SSL ciphers and setup SSL auto-renewal
OpenSSL has received a lot of bad rap in the recent years because of wave after wave of security vulnerabilities.
Many of these issues happened because people kept using old & weak Ciphers and Protocols.
Which is why we make it a point to review the SSL Cipher and Protocol list in all our customer servers at least once a month.
We make it a point to remove vulnerable Ciphers/Protocols such as RC4, SSLv2, SSLv3, etc. and enable only those that are proven to be strong.
In addition to this, we enable HSTS (HTTP Strict Transport Security ) in eCommerce sites to force the use of only SSL based connections so that no one can create a look-alike page and trick end-users into sharing their card info.
Finally, we setup auto-renewal for all certificates installed in the server (using the open source CA Let’s Encrypt), so that the sites always remain safe for customers to use.
7. Monitor servers 24/7 & install patches as soon as they’re available
Last but not the least, you need to setup a constant vigil against new kinds of attacks coming over the horizon.
That is why Bobcares security experts monitor our customer servers 24/7 for security events, vulnerability disclosures, pending updates and more.
We apply server patches as soon as they become available.
If a new vulnerability is revealed that doesn’t have an official patch yet, we design a hot-fix for the vulnerability so that it cannot be exploited until an official patch comes out.
There are a hundred ways to harden an Nginx server, but what are the important ones? Today we’ve looked at the top security threats facing an Nginx server, and what we do here at Bobcares to secure it from hackers and malware.