:Improve Nginx web server security

Background information

Nginx is a lightweight, high-performance web server, reverse proxy, and mail (IMAP or POP3) proxy server. It runs on various versions of UNIX, GNU/Linux, BSD, Mac OS X, Solaris, and Windows. According to surveys, Nginx is used by 6% of all websites. Nginx is one of the few servers that can handle the C10k problem. Unlike traditional servers, Nginx does not rely on threads to handle requests. Instead, it uses a more scalable event-driven (asynchronous) architecture. Nginx powers some of the highest-traffic websites, such as WordPress, Renren, Tencent, and NetEase. This topic describes security enhancements for an Nginx web server that runs on a Linux or UNIX system.

Procedure

This section describes the default configuration files and ports for Nginx.

• /usr/local/nginx/conf/ is the Nginx configuration directory. /usr/local/nginx/conf/nginx.conf is the main configuration file.

• /usr/local/nginx/html/ is the default location for website files.

• /usr/local/nginx/logs/ is the default location for log files.

• The default Nginx HTTP port is TCP 80.

• The default Nginx HTTPS port is TCP 443.

1. Validate the Nginx configuration file.

   /usr/local/nginx/sbin/nginx -t

   The output is as follows.

   the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
   configuration file /usr/local/nginx/conf/nginx.conf test is successful

2. Reload the configuration file.

   /usr/local/nginx/sbin/nginx -s reload

3. Stop the server.

   /usr/local/nginx/sbin/nginx -s stop

Step 1: Configure SELinux

Security-Enhanced Linux (SELinux) is a Linux kernel feature that provides a security policy mechanism to support access control and can defend against most attacks. The following steps show how to enable SELinux on a CentOS or RHEL system.

1. Run the following command to install SELinux.

   rpm -qa | grep selinux

   If no output is returned, SELinux is not installed. If output similar to the following is returned, SELinux is installed.

   libselinux-1.23.10-2
   selinux-policy-targeted-1.23.16-6

2. Use the getsebool -a command to lock down the system. Examples are shown below.

   getsebool -a | less
   getsebool -a | grep off
   getsebool -a | grep o

Step 2: Grant minimum privileges by mounting partitions

Create a separate partition for your web files, such as /html/php files. For example, you can create a new partition /dev/sda5 (the first logical partition) and mount it to /nginx. Make sure that the /nginx partition is mounted with the noexec, nodev, and nosuid permissions. The following is an example of the /nginx entry in the /etc/fstab file.

LABEL=/nginx /nginx ext3 defaults,nosuid,noexec,nodev 1 2

Step 3: Harden Linux security by configuring /etc/sysctl.conf

Edit the /etc/sysctl.conf file to control and configure Linux kernel and network settings, as shown in the following example.

# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don’t act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1

Step 4: Remove all unnecessary Nginx modules

Compile Nginx from the source code to minimize the number of modules. To minimize risk, restrict the web server to access only the modules it needs. Configure and install only the Nginx modules that you need.

1. Disable the SSL and autoindex modules.

   ./configure -without-http_autoindex_module -without-http_ssi_module
   make
   make install

2. Check which modules can be enabled or disabled when you compile the Nginx server.

   ./configure -help | less

3. Disable any Nginx modules that you do not use.

4. If needed, you can change the Nginx version name. To do this, edit the /http/ngx_http_header_filter_module.c file and find the following lines.

   static char ngx_http_server_string[] = “Server: nginx” CRLF;
   static char ngx_http_server_full_string[] = “Server: ” NGINX_VER CRLF;

   Change them to the following.

   static char ngx_http_server_string[] = “Server: Ninja Web Server” CRLF;
   static char ngx_http_server_full_string[] = “Server: Ninja Web Server” CRLF;

5. Save and close the file. Then, edit the server configuration. Add the following code to the nginx.conf file to hide the Nginx version number.

   server_tokens off

Step 5: Use mod_security

mod_security is an application-level firewall for Apache. You can install mod_security for your backend Apache web server to prevent many injection attacks.

Step 6: Install an SELinux policy to harden the Nginx web server

The default SELinux policy does not protect the Nginx web server, but you can install and compile a policy to protect it.

1. Install the environment required to compile the SELinux policy.

   yum -y install selinux-policy-targeted selinux-policy-devel

2. Download the SELinux policy for Nginx.

   cd /opt
   wget http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc&rsquo

3. Decompress the file.

   tar -zxvf se-ngix_1_0_10.tar.gz

4. Compile the file.

   cd se-ngix_1_0_10/nginx
   make

   The output is as follows.

   Compiling targeted nginx module
   /usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp
   /usr/bin/checkmodule: policy configuration loaded
   /usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.mod
   Creating targeted nginx.pp policy package

5. Delete the temporary files.

   rm tmp/nginx.mod.fc tmp/nginx.mod

6. Install the generated nginx.pp SELinux module.

   /usr/sbin/semodule -i nginx.pp

Step 7: Use Iptables firewall for restrictions

The following firewall script blocks all requests except those that are explicitly allowed.

• Requests from HTTP (TCP port 80)

• Requests from ICMP ping

• Outgoing requests to NTP (port 123)

• Outgoing requests to SMTP (TCP port 25)

#!/bin/bash

IPT=”/sbin/iptables”

#### IPS ######
# Get server public ip
SERVER_IP=$(ifconfig eth0 | grep ‘inet addr:’ | awk -F’inet addr:’ ‘{ print $2}’ | awk ‘{ print $1}’)
LB1_IP=”204.X.X.1″
LB2_IP=”204.X.X.2″

# Do some smart logic so that we can use damm script on LB2 too
OTHER_LB=”"
SERVER_IP=”"
[[ "$SERVER_IP" == "$LB1_IP" ]] && OTHER_LB=”$LB2_IP” || OTHER_LB=”$LB1_IP”
[[ "$OTHER_LB" == "$LB2_IP" ]] && OPP_LB=”$LB1_IP” || OPP_LB=”$LB2_IP”


### IPs ###
PUB_SSH_ONLY=”122.xx.yy.zz/29″

#### FILES #####
BLOCKED_IP_TDB=/root/.fw/blocked.ip.txt
SPOOFIP=”127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24″
BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v “^#|^$” ${BLOCKED_IP_TDB})

### Interfaces ###
PUB_IF=”eth0″   # public interface
LO_IF=”lo”      # loopback
VPN_IF=”eth1″   # vpn / private net

### start firewall ###
echo “Setting LB1 $(hostname) Firewall…”
# DROP and close everything
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Unlimited lo access
$IPT -A INPUT -i ${LO_IF} -j ACCEPT
$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT
# Unlimited vpn / pnet access
$IPT -A INPUT -i ${VPN_IF} -j ACCEPT
$IPT -A OUTPUT -o ${VPN_IF} -j ACCEPT
# Drop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! -syn -m state -state NEW -j DROP
# Drop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags ALL ALL -j DROP

# Drop NULL packets
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags ALL NONE -m limit -limit 5/m -limit-burst 7 -j LOG -log-prefix ” NULL Packets “
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags ALL NONE -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags SYN,RST SYN,RST -j DROP
# Drop XMAS
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags SYN,FIN SYN,FIN -m limit -limit 5/m -limit-burst 7 -j LOG -log-prefix ” XMAS Packets “
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags SYN,FIN SYN,FIN -j DROP

# Drop FIN packet scans
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags FIN,ACK FIN -m limit -limit 5/m -limit-burst 7 -j LOG -log-prefix ” Fin Packets Scan “
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags FIN,ACK FIN -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp -tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Log and get rid of broadcast / multicast and invalid
$IPT  -A INPUT -i ${PUB_IF} -m pkttype -pkt-type broadcast -j LOG -log-prefix ” Broadcast “
$IPT  -A INPUT -i ${PUB_IF} -m pkttype -pkt-type broadcast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m pkttype -pkt-type multicast -j LOG -log-prefix ” Multicast “
$IPT  -A INPUT -i ${PUB_IF} -m pkttype -pkt-type multicast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m state -state INVALID -j LOG -log-prefix ” Invalid “
$IPT  -A INPUT -i ${PUB_IF} -m state -state INVALID -j DROP
# Log and block spoofed ips
$IPT -N spooflist
for ipblock in $SPOOFIP
do
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG -log-prefix ” SPOOF List Block “
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist

# Allow ssh only from selected public ips
for ip in ${PUB_SSH_ONLY}
do
$IPT -A INPUT -i ${PUB_IF} -s ${ip} -p tcp -d ${SERVER_IP} -destination-port 22 -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -d ${ip} -p tcp -s ${SERVER_IP} -sport 22 -j ACCEPT
done

# allow incoming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp -icmp-type 8 -s 0/0 -m state -state NEW,ESTABLISHED,RELATED -m limit -limit 30/sec  -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p icmp -icmp-type 0 -d 0/0 -m state -state ESTABLISHED,RELATED -j ACCEPT
# allow incoming HTTP port 80
$IPT -A INPUT -i ${PUB_IF} -p tcp -s 0/0 -sport 1024:65535 -dport 80 -m state -state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p tcp -sport 80 -d 0/0 -dport 1024:65535 -m state -state ESTABLISHED -j ACCEPT
# allow outgoing ntp
$IPT -A OUTPUT -o ${PUB_IF} -p udp -dport 123 -m state -state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p udp -sport 123 -m state -state ESTABLISHED -j ACCEPT
# allow outgoing smtp
$IPT -A OUTPUT -o ${PUB_IF} -p tcp -dport 25 -m state -state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp -sport 25 -m state -state ESTABLISHED -j ACCEPT

### add your other rules here ####
#######################
# drop and log everything else
$IPT -A INPUT -m limit -limit 5/m -limit-burst 7 -j LOG -log-prefix ” DEFAULT DROP “
$IPT -A INPUT -j DROP
exit 0

Step 8: Control buffer overflow attacks

Edit the nginx.conf file and set buffer size limits for all clients.

vi /usr/local/nginx/conf/nginx.conf

Set the buffer size limits for all clients as follows.

## Start: Size Limits & Buffer Overflows ##
client_body_buffer_size  1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
## END: Size Limits & Buffer Overflows ##

You also need to control timeouts to improve server performance and disconnect clients. Configure the settings as follows.

## Start: Timeouts ##
client_body_timeout   10;
client_header_timeout 10;
keepalive_timeout     5 5;
send_timeout          10;
## End: Timeouts ##

Step 9: Control concurrent connections

You can use the ngx_http_limit_conn_module to limit the number of concurrent connections for a specified session or, in special cases, from a single IP address. Edit the nginx.conf file to limit the number of simultaneous connections from a single client IP address to five.

# Describes the zone where session states are stored. In this example, they are stored in slimits.
# A 1 MB zone can handle about 32,000 sessions at 32 bytes per session. This example sets the zone size to 5 MB.
limit_conn_zone $binary_remote_addr zone=slimits:5m;

# Controls the maximum number of simultaneous connections for one session.
# Restricts the number of connections from a single IP address.
limit_conn slimits 5;

Step 10: Allow access only from your domain names

If bots are randomly scanning all domain names on your server, you can reject their requests. You must allow requests for your configured virtual domains or reverse proxies. You do not need to use IP addresses to deny requests. An example is shown below.

## Only requests to our Host are allowed i.e. nixcraft.in, images.nixcraft.in and www.nixcraft.in
if ($host !~ ^(nixcraft.in|www.nixcraft.in|images.nixcraft.in)$ ) {
return 444;
}
##

Step 11: Limit available request methods

GET and POST are the most common methods on the Internet. Web server methods are defined in RFC 2616. If your web server does not require all available methods, you should disable the ones you do not need. The following configuration filters out other methods and allows only the GET, HEAD, and POST methods.

## Only allow these request methods ##
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
## Do not accept DELETE, SEARCH and other methods ##

More information about HTTP methods is provided below:

• The GET method is used to request a resource, such as the file at http://www.moqifei.com/index.php.

• The HEAD method is the same as the GET method, but the server does not return a message body in the response.

• The POST method is used for many purposes, such as storing or updating data, ordering a product, or sending an email by submitting a form. This method is typically handled by server-side scripts, such as PHP, Perl, and Python scripts. You must use this method to upload files or process data on the server.

Step 12: Block specific user agents

You can easily block user agents, such as scanners, bots, and spammers that abuse your server.

## Block download agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
##

The following example shows how to block the Soso and Youdao bots.

## Block some robots ##
if ($http_user_agent ~* Sosospider|YoudaoBot) {
return 403;
}

Step 13: Prevent image hotlinking

Image or HTML hotlinking occurs when someone uses the URL of an image on your website to display it on their own website. This results in you paying for the extra broadband costs. This practice is common on forums and blogs. We strongly recommend that you block hotlinking.

# Stop deep linking or hot linking
location /images/ {
valid_referers none blocked www.example.com example.com;
if ($invalid_referer) {
return   403;
}
}

Example: Redirect the request and display a specific image.

valid_referers blocked www.example.com example.com;
if ($invalid_referer) {
rewrite ^/images/uploads.*.(gif|jpg|jpeg|png)$ http://www.examples.com/banned.jpg last
}

Step 14: Restrict directories

You can set access permissions for specific directories. Configure each website directory individually and grant only the necessary access permissions.

Restrict access by IP address

You can restrict access to the /admin/ directory by IP address, as shown in the following example.

location /docs/ {
## block one workstation
deny    192.168.1.1;
## allow anyone in 192.168.1.0/24
allow   192.168.1.0/24;
## drop rest of the world
deny    all;
}

Protect a directory with a password

1. Create a password file and add the user user.

   mkdir /usr/local/nginx/conf/.htpasswd/
   htpasswd -c /usr/local/nginx/conf/.htpasswd/passwd user

2. Edit the nginx.conf file to add the directories that you want to protect.

   ### Password Protect /personal-images/ and /delta/ directories ###
   location ~ /(personal-images/.|delta/.) {
   auth_basic  “Restricted”;
   auth_basic_user_file   /usr/local/nginx/conf/.htpasswd/passwd;
   }

3. After the password file is generated, you can use the following command to add more users.

   htpasswd -s /usr/local/nginx/conf/.htpasswd/passwd userName

Step 15: Configure Nginx SSL

HTTP is a text-based protocol that is vulnerable to passive monitoring. You should use SSL to encrypt your user content.

1. Create an SSL Certificate.

   cd /usr/local/nginx/conf
   openssl genrsa -des3 -out server.key 1024
   openssl req -new -key server.key -out server.csr
   cp server.key server.key.org
   openssl rsa -in server.key.org -out server.key
   openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

2. Edit the nginx.conf file and update it as follows.

   server {
   server_name example.com;
   listen 443;
   ssl on;
   ssl_certificate /usr/local/nginx/conf/server.crt;
   ssl_certificate_key /usr/local/nginx/conf/server.key;
   access_log /usr/local/nginx/logs/ssl.access.log;
   error_log /usr/local/nginx/logs/ssl.error.log;
   }

3. Restart Nginx.

   /usr/local/nginx/sbin/nginx -s reload

Step 16: Nginx and PHP security recommendations

PHP is a popular server-side scripting language. Edit the /etc/php.ini file with the following settings.

# Disallow dangerous functions
disable_functions = phpinfo, system, mail, exec
## Try to limit resources  ##
# Maximum execution time of each script, in seconds
max_execution_time = 30
# Maximum amount of time each script may spend parsing request data
max_input_time = 60
# Maximum amount of memory a script may consume (8MB)
memory_limit = 8M
# Maximum size of POST data that PHP will accept.
post_max_size = 8M
# Whether to allow HTTP file uploads.
file_uploads = Off
# Maximum allowed size for uploaded files.
upload_max_filesize = 2M
# Do not expose PHP error messages to external users
display_errors = Off
# Limit external access to PHP environment
safemode_allowed_env_vars = PHP
# Restrict PHP information leakage
expose_php = Off
# Log all errors
log_errors = On
# Minimize allowable PHP post size
post_max_size = 1K
# Ensure PHP redirects appropriately
cgi.force_redirect = 0
# Disallow uploading unless necessary
file_uploads = Off
# Avoid Opening remote files
allow_url_fopen = Off

Step 17: Run Nginx in a chroot jail if possible

Placing Nginx in a chroot jail can reduce the potential for unauthorized access to other directories. You can use a traditional chroot setup with your Nginx installation. If possible, use virtualization technologies such as FreeBSD jails, Xen, or OpenVZ containers.

Step 18: Limit connections per IP at the firewall level

The web server must monitor and limit connections per second. Both PF and Iptables can block end users before they reach your Nginx server. The following example blocks an IP address if it makes more than 15 connections to port 80 within 60 seconds. You can set the connection limit based on your specific needs.

/sbin/iptables -A INPUT -p tcp -dport 80 -i eth0 -m state -state NEW -m recent -set
/sbin/iptables -A INPUT -p tcp -dport 80 -i eth0 -m state -state NEW -m recent -update -seconds 60  -hitcount 15 -j DROP
service iptables save

Step 19: Configure the operating system to protect the web server

As described earlier, enable SELinux and correctly set the permissions for the /nginx document root directory. Nginx runs as the user nginx. However, the root directory (such as /nginx or /usr/local/nginx/html) should not be owned by or be writable by the user nginx. Run the following command to find files with incorrect permissions.

find /nginx -user nginx
find /usr/local/nginx/html -user nginx

View permissions.

ls -l /usr/local/nginx/html/

The system displays output similar to the following.

-rw-r-r- 1 root root 925 Jan  3 00:50 error4xx.html
-rw-r-r- 1 root root  52 Jan  3 10:00 error5xx.html
-rw-r-r- 1 root root 134 Jan  3 00:52 index.html

Find backup files created by vi or other text editors. Then, use the -delete option of the find command to delete these files.

find /nginx -name ‘.?’ -not -name .ht -or -name ‘~’ -or -name ‘.bak’ -or -name ‘.old*’
find /usr/local/nginx/html/ -name ‘.?’ -not -name .ht -or -name ‘~’ -or -name ‘.bak’ -or -name ‘.old*

Step 20: Restrict outgoing Nginx connections

Hackers can use tools such as wget to download local files from your server. You can use Iptables to block outgoing connections from the nginx user. The ipt_owner module attempts to match the creator of locally generated packets. The following example only allows the user vivek to make outgoing connections on port 80.

/sbin/iptables -A OUTPUT -o eth0 -m owner -uid-owner vivek -p tcp -dport 80 -m state -state NEW,ESTABLISHED  -j ACCEPT

After you complete these configurations, your Nginx server will be much more secure and ready to publish web pages. However, you should also find more security information specific to your web application, such as WordPress or other third-party programs.