Nginx WebServer Best Security Practices

NGINX is a free, open-source, high-performance HTTP server and a reverse proxy, also known as IMAP/POP3 proxy server. NGINX is famous for its high performance, stability, rich feature set, simple configuration, and low resource consumption. In this article, we will explain about ” Nginx WebServer Best Security Practices”.

sysctl.conf is a simple file containing sysctl values to be read in and set by sysctl. To open sysctl.conf, use the following command –

$ sudo vim /etc/sysctl.conf

The sample output should be like this –

## /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
..........................................

To prevent a smurf attack, add the following line to sysctl.conf file.

net.ipv4.icmp_echo_ignore_broadcasts = 1

To turn on protection for bad icmp error messages, add the following line to sysctl.conf file.

net.ipv4.icmp_ignore_bogus_error_responses = 1

To turn on syncookies for SYN flood attack protection,add the following line to sysctl.conf file.

net.ipv4.tcp_syncookies = 1

To turn on and log spoofed, source routed, and redirect packets,add the following lines to sysctl.conf file.

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

To un-source routed packets,add the following line to sysctl.conf file.

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

To turn on reverse path filtering,add the following line to sysctl.conf file.

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

To identify alter the routing tables, add the following line to sysctl.conf file.

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

To turn on execshild, add the following line to sysctl.conf file.

kernel.exec-shield = 1
kernel.randomize_va_space = 1

To tune IPv6,add the following lines to sysctl.conf file.

net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

To optimize a port, use LBs and add the following line to sysctl.conf file.

fs.file-max = 65535

To allow more PIDs, add the following line to sysctl.conf file.

kernel.pid_max = 65536

To increase system IP port limits, add the following line to sysctl.conf file.

net.ipv4.ip_local_port_range = 2000 65000

To increase TCP max buffer size, set the table by using setsockopt(), and add the following line to sysctl.conf file.

net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

To save and reload the above file, use the below command –

# sysctl -p

To turn off nginx version number displayed, add the following line to /etc/nginx/conf.d/default.conf file.

server_tokens off

To control the Buffer overflow attacks, add the following command to /etc/nginx/nginx.conf file.

## Start: Size Limits & Buffer Overflows ##
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
## END: Size Limits & Buffer Overflows ##

• client_body_buffer_size 1k − This directive specifies the client request body buffer size.

• client_header_buffer_size 1k − This Directive sets the headerbuffer size for the request header from client.

• client_max_body_size 1k − It indicates by the line Content-Length in the header request.

• large_client_header_buffers 2 1k − This directive assigns the maximum number and size of buffers for large headers to read from client request.

Nginx and PHP Security Tips

To add security tips in php, it should require a file called php.ini. The sample of php.ini file should be like this –

[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini ;
;;;;;;;;;;;;;;;;;;;
; PHP's initialization file, generally called php.ini, is responsible for
; configuring many of the aspects of PHP's behavior.

; PHP attempts to find and load this configuration from a number of locations.
; The following is a summary of its search order:
; 1. SAPI module specific location.
; 2. The PHPRC environment variable. (As of PHP 5.2.0)
; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
; 4. Current working directory (except CLI)
; 5. The web server's directory (for SAPI modules), or directory of PHP
; (otherwise in Windows)
; 6. The directory from the --with-config-file-path compile time option, or the
; Windows directory (C:\windows or C:\winnt)
; See the PHP docs for more specific information.

To disallow dangerous functions in PHP, add the following command to php.ini file.

disable_functions = phpinfo, system, mail, exec

To set the maximum execution time of each script, add the following command to php.ini file.

max_execution_time = 30

To set the maximum amount of time, each script may spend parsing request data. Add the following command to php.ini file.

max_input_time = 60

To set maximum amount of memory for a script to be consumed, add the following command to php.ini file.

memory_limit = 8M

To set the maximum size of POST data that PHP will accept, add the following command to php.ini file.

post_max_size = 8M

To set maximum allowed size for uploaded files,add the following command to php.ini file.

upload_max_filesize = 2M

Do not expose PHP error messages to external users,add the following command to php.ini file.

display_errors = Off

To turn on safe mode,add the following command to php.ini file.

safe_mode = On

To set limit external access to PHP environment,add the following command to php.ini file.

safe_mode_allowed_env_vars = PHP_

To see all log errors,add the following command to php.ini file.

log_errors = On

To set minimize allowable PHP post size,add the following command to php.ini file.

post_max_size = 1K

To enable SQL safe mode,add the following command to php.ini file.

sql.safe_mode = On

To avoid Opening remote files,add the following command to php.ini file.

allow_url_fopen = Off

To upgrade Nginx, use the following command –

$ sudo apt-get upgrade nginx

The sample output should be like this –

Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
libhdb9-heimdal libkdc2-heimdal libntdb1 python-ntdb
Use 'apt-get autoremove' to remove them.
The following NEW packages will be installed:
nginx nginx-common nginx-core
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 349 kB of archives.
After this operation, 1,297 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
.....................................................................

After this article, you will be able to understand what is Nginx WebServer and how to secure Nginx WebServer. In our next articles, we will come up with more Linux based tricks and tips. Keep reading!