Nginx Hardening
Nginx is a widely-used web server that requires proper configuration to prevent attacks. Follow these essential hardening techniques:
1. Configure HTTPS and TLS
Enabling HTTPS with the latest TLS protocols ensures encrypted communication between clients and your server, protecting data from interception and tampering.
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
}
2. Protect Against DDoS Attacks
Implement rate limiting to mitigate the risk of DDoS attacks, which can overwhelm your server.
http {
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s;
server {
location / {
limit_req zone=mylimit burst=5;
}
}
}
3. Set Security Headers
Adding security headers helps protect against common attacks like XSS, clickjacking, and data sniffing. These headers enhance application security.
server {
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
Linux Hardening
Securing the Linux operating system involves several best practices to protect against attacks. Key techniques include:
1. Update the System
Regularly update your system to apply the latest security patches and reduce vulnerabilities.
sudo apt update
sudo apt upgrade -y
2. Configure Firewall with UFW
Use UFW (Uncomplicated Firewall) to restrict traffic and enhance system security by only allowing necessary services.
sudo ufw enable
sudo ufw allow OpenSSH
sudo ufw allow http
sudo ufw allow https
sudo ufw deny 23/tcp
3. Set Up SELinux
Enable SELinux (Security-Enhanced Linux) to enforce access control policies and restrict process access.
sudo setenforce 1
sudo vi /etc/selinux/config
# Set SELINUX=enforcing
4. Configure Fail2ban
Fail2ban monitors log files for suspicious activity and bans IP addresses that exhibit malicious behavior, helping to prevent brute force attacks.
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 3
.htaccess Hardening
The .htaccess file configures security settings for Apache. Proper configurations help protect your server from unauthorized access and potential threats:
1. Restrict Access to Sensitive Files
Prevent web access to sensitive configuration files to protect them from exposure.
<FilesMatch "^(config\.php|\.env)">
Order Allow,Deny
Deny from all
</FilesMatch>
2. Limit Access by IP Address
Restrict access to certain parts of your site based on IP addresses to improve security and limit access to trusted users.
order deny,allow
deny from all
allow from 192.168.1.100
3. Disable Directory Listing
Prevent Apache from listing directory contents, which can expose sensitive files to unauthorized users.
Options -Indexes
4. Disable URL Rewriting
Disable URL rewriting if not needed, as it can be a vector for attacks.
RewriteEngine Off
5. Protect .htaccess File
Prevent access to the .htaccess file itself to safeguard against unauthorized modifications.
<Files ".htaccess">
Order Allow,Deny
Deny from all
</Files>
Cisco Hardening
Hardening your Cisco devices is essential to safeguard your network against unauthorized access and potential threats. Below are key configurations to enhance the security of your Cisco devices:
1. Change Default Passwords
Always use strong, complex passwords to protect against unauthorized access.
! Set a strong enable password
enable secret strong_password
! Set a strong password for the console line
line console 0
password strong_password
login
! Set a strong password for VTY lines
line vty 0 4
password strong_password
login
2. Enable SSH and Disable Telnet
Ensure secure communication by enabling SSH and disabling the Telnet protocol.
! Disable Telnet and enable SSH
line vty 0 4
transport input ssh
3. Configure Access Control Lists (ACLs)
Implement ACLs to restrict unauthorized access to the network devices.
! Create an ACL to permit specific IPs
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any
! Apply the ACL to VTY lines
line vty 0 4
access-class 10 in
4. Disable Unused Services and Ports
Turn off any services and close ports that are not in use to reduce potential attack vectors.
! Disable unused services
no ip http server
no ip https server
no cdp run
! Shutdown unused interfaces
interface GigabitEthernet0/1
shutdown
5. Update Firmware Regularly
Keep the firmware up to date to protect against known vulnerabilities.
! Copy new firmware to flash and set boot
copy tftp: flash:
boot system flash:new_firmware.bin
6. Use SNMPv3
If using SNMP, ensure that SNMPv3 is configured to provide encrypted management data.
! Configure SNMPv3 with encryption
snmp-server group admin v3 priv
snmp-server user admin_user admin v3 auth sha auth_password priv aes 256 priv_password
7. Implement Logging and Monitoring
Enable logging and actively monitor logs for any unusual activities.
! Enable logging to an external syslog server
logging 192.168.1.100
! Set logging levels
logging trap warnings
Important Note
Always back up your configuration files before making any changes. Testing configurations in a staging environment can help avoid disruptions to your live site.
Schema Markup Example
This section contains JSON-LD schema markup used for SEO purposes. It helps search engines understand the content of your page better.
{
"@context": "https://schema.org",
"@type": "WebPage",
"name": "Server Hardening Guide",
"description": "Comprehensive guide on server hardening techniques for Nginx, Linux, .htaccess, and Cisco network equipment. Enhance security with detailed configuration examples and explanations based on SANS and NIST standards.",
"url": "https://www.example.com/server-hardening-guide",
"mainEntity": {
"@type": "Article",
"headline": "Server Hardening Guide",
"description": "Detailed guide on server hardening techniques including Nginx, Linux, .htaccess, and Cisco configurations with practical examples and explanations based on SANS and NIST standards.",
"author": {
"@type": "Person",
"name": "Mir Ali Shahidi"
},
"publisher": {
"@type": "Organization",
"name": "Your Organization",
"logo": {
"@type": "ImageObject",
"url": "https://www.example.com/images/logo.png"
}
},
"datePublished": "2024-08-22",
"dateModified": "2024-08-22",
"image": "https://www.example.com/images/thumbnail.jpg"
}
}