Introduction
Nginx is one of the most popular web servers used in some of the busiest sites globally and its indeed a very fast and light server. With some of its default settings, it becomes vulnerable to hacking attacks. In this article we illustrate how to prevent several attacks on Nginx Web server on Ubuntu 18.04 through cross-site scripting, information leakage, stealing cookie information and clickjacking attacks.
Pre-requisites
Please ensure you have performed the following, before starting this tutorial.
Ubuntu 18.04
VPS Setup- Installed latest nginx web server (
1.14.0
at the time of publishing this article) - Made a copy of the following configuration files: /etc/nginx/nginx.conf, /etc/nginx/sites-available/default
- Non-root user has sudo privileges
1. Hide Details About Nginx
By-default the nginx version is shown in the response headers as shown below.
Having such information will facilitate a hacker in an attempt of attacking the web server.
$ curl -I http://35.226.204.122/ HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Jun 2018 14:35:24 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Wed, 06 Jun 2018 14:34:09 GMT Connection: keep-alive ETag: "5b17f0e1-264" Accept-Ranges: bytes
Disable the information leakage by uncommenting the line below in http section in the main nginx config file /etc/nginx/nginx.conf
http { server_tokens off;
Save the file and reload nginx
$ sudo systemctl reload nginx
Confirm that the nginx version details are no longer shown.
$ curl -I http://35.226.204.122/ HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jun 2018 14:44:20 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Wed, 06 Jun 2018 14:34:09 GMT Connection: keep-alive ETag: "5b17f0e1-264" Accept-Ranges: bytes
2. Enable X-XSS Protection
X-XSS protects the web server against cross-site scripting attacks. Add the line below in http section in main nginx config file /etc/nginx/nginx.conf
add_header X-XSS-Protection "1; mode=block";
As shown below:
http { server_tokens off; add_header X-XSS-Protection "1; mode=block";
Save the file and reload nginx service.
3. Disable Undesirable HTTP methods
The desirable HTTP methods include POST, HEAD, GET
while the undesirable ones are DELETE
or TRACE
. These are quite risky as they give provision of stealing cookie information through cross-site tacking attacks.
To disable this add the line below in server section in nginx config file /etc/nginx/sites-available/default
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; }
Add the lines as shown below:
server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; }
Save the file and reload nginx service
4. Prevent Clickjacking Attacks
Clickjacking attack entails hacker placing hidden link below legitimate button on site and the user unknowingly clicks on the attacker’s link causing malice. In most cases this is done using iframes. Hence in nginx, it’s advisable to insert X-FRAME-OPTIONS “SAMEORIGIN” in the header to limit the browser to load resources only from the web server.
Add the line below in the http section in the main nginx config file /etc/nginx/nginx.conf
add_header X-Frame-Options "SAMEORIGIN";
As shown below:
http { server_tokens off; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN";
Save the file and reload nginx service
5. Always Keep Nginx Up-To-Date
The nginx updates will always ensure that any security vulnerabilities in previous versions or releases have been resolved. Just run the commands below:
$ sudo add-apt-repository ppa:nginx/stable # Press enter to continue with the repository addition when given the prompt to proceed or not $ sudo apt update $ sudo apt install nginx -y
Conclusion
The mentioned 5 steps are the basic methods of securing nginx web server. Some additional steps you could take to secure your nginx web server include:
- Install SSL Certificate in the nginx web server to encrypt all communication via the internet
- Implement NGINX WAF (NGINX Plus with ModSecurity WAF (Web Application Firewall), which is PCI‑DSS 6.6 compliant and protects web server against DDoS, performs real‑time blacklisting performs audit logs
- Secure Diffie-Hellman for TLS as part of SSL/TLS Optimization
- Disable weak cipher suites to allow only strong ciphers hence reducing vulnerability
Having accomplished all these steps, you’ve successfully hardened your Nginx web server running on your Ubuntu 18.04 server.
Check out these top 3 Dedicated server hosting services:
- Want suggestions about Best dedicated servers hosting? Click here and read more.