In previous post I explained security hardening for linux server. This post will describe hardening based on server purpose.
Modern web application typically consists from following components:
- web server
- database server
- job server
- cache server
Security hardening for those servers is different.
Here are detailed instructions how to harden nginx web server.
SELinux is security kernel feature. If some component on your server is not patched, or there is Zero Day Vulnerability, SELinux will help you to protect other server components. For example, logging component has zero day vulnerability and hacker would use it to try to get access to your web server. SELinux adds additional level of kernel security to make that attack much harder.
2. Allow Minimal Privileges Via Mount Options
This is applied to partition that holds your web application files.
nosuid means that it will be not possible to change user and group permissions for that partition
noexec it will be not possible to run any program from that partition
nodev means do not interpret character or block special devices on
the file system
One of hacker attack vector is to serve his own malicious program using your web application. Those settings will make his attack much harder.
3. Linux /etc/sysctl.conf Hardening
These are low level linux networking and kernel parameters. First attack vector is try to login remotely to your server. These settings will make that job much harder.
4. Remove All Unwanted Nginx Modules
You need to run your nginx with modules that you need. Otherwise, your attack vector surface becomes larger.
will list current nginx modules. Here are instructions how to configure modules.
5. Change Nginx Version Header
This basically makes your nginx server more hidden. It will make hacker job much harder.
How to change Server header. For centOS use
6. Install SELinux Policy To Harden The Nginx Webserver
These are selinux policies that will make your web server more secure.
7. Controlling Buffer Overflow Attacks
Buffer overflow attack is one of the first attack that will hacker try. There are special tools that help them (like Metasploit) to automate that attack. Basically, hacer will try to feed more data to web server connection. Setting explicit boundary values, you will make that task much harder. But be aware that those boundaries could influence your web application operations.
8. Control Simultaneous Connections
Set maximal number of simultaneous connections from same IP address. This will help you to fight web spiders and ddos attacks.
10. Limit Available Methods
You probably know about HTTP GET and POST methods, but do you know about OPTIONS? Restrict HTTP methods that are not used by your web application.
11. Nginx SSL Configuration
You need to run on SSL. For that you will need to buy signed ssl certificate.
Your web server needs to be behind dedicated firewall appliance. Period.
That it is, security hardening for web server. In next post, I will talk about hardening for database server.