Gordon
Assistant Engineer
Assistant Engineer
  • UID622
  • Fans1
  • Follows0
  • Posts52
Reads:2680Replies:6

The 20 step to create the most secure Nginx Web server

Created#
More Posted time:Jul 14, 2016 9:58 AM
Nginx is a lightweight, high performance Web server/reverse proxy and e-mail (IMAP/POP3) proxy. It runs on UNIX, GNU/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows. According to statistics, 6% of Websites use the Nginx Webserver. Nginx is one of a handful of servers able to address the C10K problem. Unlike traditional servers, Nginx does not rely on threads to handle requests. Instead it uses a much more scalable event-driven (asynchronous) architecture. Nginx powers several high traffic Websites, such as WordPress, renren.com, Tencent, and 163.com. This article explores how to improve the security of the Nginx Webserver running on Linux or UNIX.
 
Default Configuration Files and Nginx Ports
•    /usr/local/nginx/conf/: Nginx configuration file directory, where /usr/local/nginx/conf/nginx.conf is the main configuration file
•    /usr/local/nginx/html/: default Website file location
•    /usr/local/nginx/logs/: default log file location
•    Nginx HTTP default port: TCP 80
•    Nginx HTTPS default port: TCP 443
 
You can run the following command to test Nginx configuration file accuracy:

/usr/local/nginx/sbin/nginx -t
 
Sample output:
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful
To reload the configuration files, run the following command:

/usr/local/nginx/sbin/nginx -s reload
 
To stop the server, run the following command:

/usr/local/nginx/sbin/nginx -s stop
 
I. Configure SELinux
 
Security-enhanced Linux (SELinux) is a Linux kernel feature that provides a security policy protection mechanism supporting access control. It can stop many attacks. The following describes how to start SELinux on CentOS or RHEL.
Install SELinux

rpm -qa | grep selinux
 
libselinux-1.23.10-2
selinux-policy-targeted-1.23.16-6
If no output is returned, SELinux is not installed. If an output similar to the above sample is returned, SELinux is installed.
Boolean Lock
Run the getsebool -a command to lock the system.

getsebool -a | less
getsebool -a | grep off
getsebool -a | grep o

 
II. Allow Minimal Privileges by Partitioning and Attaching
 
Put all Webpage /html/php files on the server to separate partitions. For example, create a partition named /dev/sda5 (first logical partition) and attach it to /nginx. Make sure it is attached to /nginx with noexec, nodev, and nosetuid permissions. Here is my /etc/fstab entry for attaching to /nginx:
LABEL=/nginx /nginx ext3 defaults,nosuid,noexec,nodev 1 2
NOTE: You need to create a new partition using fdisk and mkfs.ext3 commands.
 
III. Linux /etc/sysctl.conf Hardening
 
You can control and configure Linux kernel and network settings via /etc/sysctl.conf.

1.    # Avoid a smurf attack
2.    net.ipv4.icmp_echo_ignore_broadcasts = 1
3.    # Turn on protection for bad icmp error messages
4.    net.ipv4.icmp_ignore_bogus_error_responses = 1
5.    # Turn on syncookies for SYN flood attack protection
6.    net.ipv4.tcp_syncookies = 1
7.    # Turn on and log spoofed, source routed, and redirect packets
8.    net.ipv4.conf.all.log_martians = 1
9.    net.ipv4.conf.default.log_martians = 1
10.    # No source routed packets here
11.    net.ipv4.conf.all.accept_source_route = 0
12.    net.ipv4.conf.default.accept_source_route = 0
13.    # Turn on reverse path filtering
14.    net.ipv4.conf.all.rp_filter = 1
15.    net.ipv4.conf.default.rp_filter = 1
16.    # Make sure no one can alter the routing tables
17.    net.ipv4.conf.all.accept_redirects = 0
18.    net.ipv4.conf.default.accept_redirects = 0
19.    net.ipv4.conf.all.secure_redirects = 0
20.    net.ipv4.conf.default.secure_redirects = 0
21.    # Don’t act as a router
22.    net.ipv4.ip_forward = 0
23.    net.ipv4.conf.all.send_redirects = 0
24.    net.ipv4.conf.default.send_redirects = 0
25.    # Turn on execshild
26.    kernel.exec-shield = 1
27.    kernel.randomize_va_space = 1
28.    # Tuen IPv6
29.    net.ipv6.conf.default.router_solicitations = 0
30.    net.ipv6.conf.default.accept_ra_rtr_pref = 0
31.    net.ipv6.conf.default.accept_ra_pinfo = 0
32.    net.ipv6.conf.default.accept_ra_defrtr = 0
33.    net.ipv6.conf.default.autoconf = 0
34.    net.ipv6.conf.default.dad_transmits = 0
35.    net.ipv6.conf.default.max_addresses = 1
36.    # Optimization for port usefor LBs
37.    # Increase system file descriptor limit
38.    fs.file-max = 65535
39.    # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
40.    kernel.pid_max = 65536
41.    # Increase system IP port limits
42.    net.ipv4.ip_local_port_range = 2000 65000
43.    # Increase TCP max buffer size setable using setsockopt()
44.    net.ipv4.tcp_rmem = 4096 87380 8388608
45.    net.ipv4.tcp_wmem = 4096 87380 8388608
46.    # Increase Linux auto tuning TCP buffer limits
47.    # min, default, and max number of bytes to use
48.    # set max to at least 4MB, or higher if you use very high BDP paths
49.    # Tcp Windows etc
50.    net.core.rmem_max = 8388608
51.    net.core.wmem_max = 8388608
52.    net.core.netdev_max_backlog = 5000
53.    net.ipv4.tcp_window_scaling = 1

 
IV. Remove All Unwanted Nginx Modules
 
You need to minimize the number of modules by directly compiling Nginx source code. This minimizes risks by allowing only the Web server to access modules. You can configure and install Nginx using only required modules. For example, you can run the following commands to disable SSI and autoindex module:

./configure –without-http_autoindex_module –without-http_ssi_module
make
make install

 
Run the following command to see which modules can be enabled or disabled while compiling the Nginx server:

./configure –help | less
 
Disable Nginx modules you do not need.
(Optional) Change the Nginx version name.
Run the following command to edit /http/ngx_http_header_filter_module.c:

vi +48 src/http/ngx_http_header_filter_module.c
 
Find lines:

static char ngx_http_server_string[] = “Server: nginx” CRLF;
static char ngx_http_server_full_string[] = “Server: ” NGINX_VER CRLF;

 
Change them as follows:

static char ngx_http_server_string[] = “Server: Ninja Web Server” CRLF;
static char ngx_http_server_full_string[] = “Server: Ninja Web Server” CRLF;

 
Save and close the file. Now you can compile the server. Add the following to nginx.conf to disable Nginx version number display:

server_tokens off
 
V. Use mod_security (only for backend Apache servers)
 
mod_security provides an application level firewall for Apache. Install mod_security for all backend Apache Web servers. This will stop many injection attacks.
 
VI. Install SELinux Policies to Harden the Nginx Webserver
 
By default, SELinux does not protect the Nginx Webserver. However, you can install and compile protective software as follows.
1. Install environment support required by SELinux compilation.

yum -y install selinux-policy-targeted selinux-policy-devel
 
2. Download SELinux policies to harden the Nginx Webserver.

[list=1]
•  cd /opt
•  wget ‘[url]http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc
[Gordon edited the post at Dec 21, 2016 14:36 PM]

Dave
Assistant Engineer
Assistant Engineer
  • UID627
  • Fans2
  • Follows0
  • Posts55
1st Reply#
Posted time:Jul 14, 2016 11:15 AM
Exactly,it has lots of ways to control and configure Linux kernel and network settings.

Kenan
Assistant Engineer
Assistant Engineer
  • UID621
  • Fans0
  • Follows0
  • Posts55
2nd Reply#
Posted time:Jul 14, 2016 11:22 AM
There's another way,setting limits through iptables firewall.

Adolph
Engineer
Engineer
  • UID623
  • Fans2
  • Follows1
  • Posts72
3rd Reply#
Posted time:Jul 14, 2016 11:27 AM
Nginx is a good tool, the function of Nginx is not limited to the construction of Web server.

alikhajeh1
Intern
Intern
  • UID1200
  • Fans1
  • Follows0
  • Posts1
4Floor#
Posted time:Nov 19, 2016 20:31 PM
https://intl.aliyun.com/help/doc-detail/25430.htm?spm=a3c0i.o25378en.b99.56.3lTeMK mentions that we should not enable SELinux or NetworkManager, why is that? We asked Aliyun support but they just say don't enable it but don't explain why or what could go wrong.

shhanshan
Forum Moderator
Forum Moderator
  • UID105
  • Fans3
  • Follows0
  • Posts173
5Floor#
Posted time:Nov 21, 2016 21:44 PM
alikhajeh1:https://intl.aliyun.com/help/doc-detail/25430.htm?spm=a3c0i.o25378en.b99.56.3lTeMK mentions that we should not enable SE...回到原帖
Hi,

1. Do not enable the NetWorkManager service. This service will conflict with the system’s internal network service and cause network errors.

2. Do not activate SELinux. This will lead system can't boot successfully.

Thanks

shhanshan
Forum Moderator
Forum Moderator
  • UID105
  • Fans3
  • Follows0
  • Posts173
6Floor#
Posted time:Nov 21, 2016 21:45 PM
Hi,

1. Do not enable the NetWorkManager service. This service will conflict with the system’s internal network service and cause network errors.

2. Do not activate SELinux. If enable SELinux, it will lead system can't boot successfully.
Guest