Securing NGINX

When setting up a website, it is very important to know how to secure it. I'm saying this, because despite NGINX being started from root and running as www-data (unprivileged user), people are still not adding just a few lines, that will mostly prevent their site from getting plowed.

Firstly, make sure you have HTTPS. It encrypts the connection between the site and the visitor. Most people have it on their sites (well, except the TOR ones), but it's good to know that it prevents sniffing (and other nasty) attacks. Moving along.

Go to /etc/nginx/nginx.conf and uncomment # server_tokens off. If they are not disabled, one can type a gibberish parameter to your site and see the version. You want to prevent hackers from performing recon, and giving them the version is the equivalent of mission failure. They will search or discover vulnerabilities FOR this exact version. Restart NGINX.

systemd: sudo systemctl restart nginx
OpenRC: sudo rc-service nginx restart

Is your web server up to date? The more popular specific software is, the more it will get targeted. More vulnerabilities are specifically discovered for old versions, and even platforms like HackTheBox, VulnHub and TryHackMe use virtual machines with old versions for training.

  • Arch-based: sudo pacman -Syyu
  • Debian-based: sudo apt update && sudo apt upgrade -yy

  • We're just getting started! Now we're gonna need to add headers, which will tell the clients/browsers what NOT to do!

    HTTP Strict Transport Security (or HSTS) is a standard, which declares HTTPS requests as the only allowed to be transferred. Insert add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; into your server block.

    Adding add_header X-Frame-Options "SAMEORIGIN"; and add_header X-XSS-Protection "1; mode=block"; help against cross-site scripting attacks, as the first line limits iFrames to send requests on the same server only.

    If you're paranoid over NGINX being complicated software, which it is and has a higher attack surface like other projects, simply compile it with flags, that don't install extra features.

    This isn't anything special. In fact, these settings should be integrated by default. You can always Google more ways to harden NGINX, along with other server softwares! That's about it, ss -tupn && ss -tupln and don't forget to check your ports!

    Written by VickyTheChills on Apr 07, 2022 at 07:09:12 EEST