How to harden Nginx Web Server on an Ubuntu 18.04 VPS or Dedicated Server

Introduction

Nginx is one of the most popular web servers used in some of the busiest sites globally and its indeed a very fast and light server. With some of its default settings, it becomes vulnerable to hacking attacks.  In this article we illustrate how to prevent several attacks on Nginx Web server on Ubuntu 18.04 through cross-site scripting, information leakage, stealing cookie information and clickjacking attacks.

Pre-requisites

Please ensure you have performed the following, before starting this tutorial.

  • Ubuntu 18.04 VPS Setup
  • Installed latest nginx web server (1.14.0 at the time of publishing this article)
  • Made a copy of the following configuration files: /etc/nginx/nginx.conf, /etc/nginx/sites-available/default
  • Non-root user has sudo privileges

1. Hide Details About Nginx

By-default the nginx version is shown in the response headers as shown below.

Having such information will facilitate a hacker in an attempt of attacking the web server.

$ curl -I http://35.226.204.122/
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Wed, 06 Jun 2018 14:35:24 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Jun 2018 14:34:09 GMT
Connection: keep-alive
ETag: "5b17f0e1-264"
Accept-Ranges: bytes

Disable the information leakage by uncommenting the line below in http section in the main nginx config file /etc/nginx/nginx.conf

http {
  server_tokens off;

Save the file and reload nginx

$ sudo systemctl reload nginx

Confirm that the nginx version details are no longer shown.

$ curl -I http://35.226.204.122/
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Jun 2018 14:44:20 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Jun 2018 14:34:09 GMT
Connection: keep-alive
ETag: "5b17f0e1-264"
Accept-Ranges: bytes

2. Enable X-XSS Protection

X-XSS protects the web server against cross-site scripting attacks. Add the line below in http section in main nginx config file /etc/nginx/nginx.conf

add_header X-XSS-Protection "1; mode=block";

As shown below:

http {
  server_tokens off;
  add_header X-XSS-Protection "1; mode=block";

Save the file and reload nginx service

3. Disable Undesirable HTTP methods

The desirable HTTP methods include POST, HEAD, GET while the undesirable ones are DELETE or TRACE. These are quite risky as they give provision of stealing cookie information through cross-site tacking attacks.

To disable this add the line below in server section in nginx config file /etc/nginx/sites-available/default

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
   	return 405;
}

Add the lines as shown below:

server {
    	listen 80 default_server;
    	listen [::]:80 default_server;
    	# SSL configuration
    	#
    	# listen 443 ssl default_server;
    	# listen [::]:443 ssl default_server;
    	#
    	# Note: You should disable gzip for SSL traffic.
    	# See: https://bugs.debian.org/773332
    	#
    	# Read up on ssl_ciphers to ensure a secure configuration.
    	# See: https://bugs.debian.org/765782
    	#
    	# Self signed certs generated by the ssl-cert package
    	# Don't use them in a production server!
    	#
    	# include snippets/snakeoil.conf;
    	root /var/www/html;
    	# Add index.php to the list if you are using PHP
    	index index.html index.htm index.nginx-debian.html;
    	server_name _;
    	location / {
            	# First attempt to serve request as file, then
            	# as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
    	}
    	if ($request_method !~ ^(GET|HEAD|POST)$ )
    	{
   	return 405;
    	}

Save the file and reload nginx service

4. Prevent Clickjacking Attacks

Clickjacking attack entails hacker placing hidden link below legitimate button on site and the user unknowingly clicks on the attacker’s link causing malice. In most cases this is done using iframes. Hence in nginx, it’s advisable to insert X-FRAME-OPTIONS "SAMEORIGIN" in the header to limit the browser to load resources only from the web server.

Add the line below in the http section in the main nginx config file /etc/nginx/nginx.conf

add_header X-Frame-Options "SAMEORIGIN";

As shown below:

http {
  server_tokens off;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options "SAMEORIGIN";

Save the file and reload nginx service

5. Always Keep Nginx Up-To-Date

The nginx updates will always ensure that any security vulnerabilities in previous versions or releases have been resolved. Just run the commands below:

$ sudo add-apt-repository ppa:nginx/stable 
# Press enter to continue with the repository addition when given the prompt to proceed or not

$ sudo apt update

$ sudo apt install nginx -y

Conclusion

The mentioned 5 steps are the basic methods of securing nginx web server. Some additional steps you could take to secure  your nginx web server include:

  • Install SSL Certificate in the nginx web server to encrypt all communication via the internet
  • Implement NGINX WAF (NGINX Plus with ModSecurity WAF (Web Application Firewall), which is PCI‑DSS 6.6 compliant and protects web server against DDoS, performs real‑time blacklisting performs audit logs
  • Secure Diffie-Hellman for TLS as part of SSL/TLS Optimization
  • Disable weak cipher suites to allow only strong ciphers hence reducing vulnerability

Having accomplished all these steps, you've successfully hardened your Nginx web server running on your Ubuntu 18.04 server.

 

Check out these top 3 Dedicated server hosting services:

Was this article helpful?