inorder to implement security rules, first we know the types attacks & vulnerabilities of server, or linux kernel.
most common attacks are
#1 brute force attacks ddos (to take down the server)
#2 SQL injection (to gain access to database to steal valuable info like customer credit card details)
#3XSS cross site injection
sending post requests from their severs, to our database.
#4 application level vulnerabilities, kernel level etc.
rate limiting
we can configure it in nginx.conf
blocking certain ip address , once it reaches the maximum request per second.
this way we can avoid brute force attacks
disable unwanted modules /install with required modules
so we limit operation
less exposure
# ./configure –without-http_autoindex_module
# make
# make install
Disable nginx server_tokens
server_tokens off
in nginx.conf
avoid large buffer size
large_client_header_buffers
client_max_body_size
client_header_buffer_size
client_body_buffer_size
disable unwanted methods
location /
{limit_except GET HEAD POST { deny all; }}
unwanted methods like delete trace blocks by nginx.
install mod security or other waf solutions
setup critical access loge for convienent
error_log logs/error.log crit;
Monitor nginx with status module /New relic / datadog
nginx statut module free but you need recompile the nginx.
or follow the approache how to use nginx dynamic modules
New relic & data dog server & application monitoring services at entrepreneur level.
also try netdata.
my recommendation is newrelic, you can also track on android app.
#add security headers
disable iframes on other websites
add_header X-Frame-Options “SAMEORIGIN”;
Strict-Transport-Security only https
add_header Strict-Transport-Security “max-age=31536000; includeSubdomains; preload”;
CSP and X-XSS-Protection headers
CSP
content security policy, xss crosite scripting attacks,
you must understand the policies must before yding this.
add_header Content-Security-Policy “default-src ‘self’ http: https: data: blob: ‘unsafe-inline'” always;
Xss
getting data from your server database by post requests .
add_header X-XSS-Protection “1; mode=block”;
Confogure latest ssl vesions & ciphersuites
ssl 3 or tls 1 version old its easy to hckable.
tsl 1.2 also some vulnarebilies
tls 1.3 new but almost all browser supports now as on 2020
ssl_protocols TLSv1.2 TLSv1.3
ciphersuites Based on server not from user
ssl_prefer_server_ciphers on;
update nginx upto date
to know what’s they fixed, added new features.
always do
apt-update
upgrable command
thrn check details on their website nginx.org
to check nginx security
Install gixy
pip install gixy
&run
gixy
it checks
/etc/nginx/nginx.conf
iptables /ufw /firewall d also helps to strengthen the security.