Hardening your Nginx servers

Halo provides preset configuration polices around OSes and some other common applications, but you can also build your own polices for specific applications. In this blog entry we’ll go over how to build a policy for Nginx and use that policy to help harden your web-servers.

Halo can identify if a server is currently compliant with the Nginx security policy you create. We’ll be using the hardening guide here for recommendations on different settings we may want to adjust. We’ll create a few checks from the guide. We won’t cover every step, some checks will relate to the OS and others directly to application settings done outside of the configuration file. You can always add more checks or customize them specifically for your environment.

Create a Configuration Check for each of the hardening settings you want to cover.

Below are a list of the different settings we’re going to create rules for:

1. Control Simultaneous Connections

In the nginx.conf file you can use NginxHttpLimitZone module to limit the number of simultaneous connections either for the assigned session or as a special case, from one IP address.

2. Controlling Buffer Overflow Attacks

There are several different buffer variables you can set for limiting data size. DDOS mitigation is a fundamental aspect of web server security.

In addition, you can repeat the above process to set each of the following parameters within nginx.conf:

Configuration item  —  Desired value
client_body_buffer_size  —  1k
client_header_buffer_size  —  1k
client_max_body_size  —  1k
large_client_header_buffers  —  21k
limit_zone slimits  —  5m
limit_conn slimits  —  5
server_tokens  —  off

3. Timeout settings

Also in the nginx.conf file, you can set client side, keepalive, and send timeouts.

In addition, you can repeat the above process to set each of the following timeout parameters:

Configuration item  —  Desired value

client_body_timeout  —  10
client_header_timeout  —  10
keepalive_timeout  —  55
send_timeout  —  10

4. Turn off nginx version number on auto generated error pages.

Security by obscurity never hurt anyone.

5. Check if the nginx process is running.

All this security is great, is my application still online?

6. Log files present?

Access and error logs should be present to enable proper access and error logging.

So using a few rules and different configuration checks, we’re now done with the Nginx policy. Let’s not forget the underlying OS. Let’s make sure we have the latest OS policy; and in this instance we are running CentOS. We’ll add the core and extended Policies for CentOS to our Nginx server group policy list. This will also cover many of the OS hardening tips in the outlined in the hardening guide. To view or modify the configuration policies for a specific group, Click the group’s name. When the “Edit details” option appears, click on it. This will produce the “Edit Group Details” window where you can view or modify the group’s configuration policies.

That should do it for building the Nginx policies and adding the OS polices. In addition, we could add a firewall policy which limits server access to only the required ports. We could also make sure that our software is patched and up to date by checking the software vulnerability report. For good measure, we could toss in a little File Integrity Monitoring and we’ll be well on our way to a secure and hardened Nginx server.


Related Posts