{"id":69,"date":"2014-09-19T04:13:00","date_gmt":"2014-09-19T04:13:00","guid":{"rendered":"http:\/\/onlinelab.info\/2014\/09\/19\/top-20-nginx-webserver-best-security-practices\/"},"modified":"2014-09-19T04:13:00","modified_gmt":"2014-09-19T04:13:00","slug":"top-20-nginx-webserver-best-security-practices","status":"publish","type":"post","link":"https:\/\/www.asianux.org.vn\/index.php\/2014\/09\/19\/top-20-nginx-webserver-best-security-practices\/","title":{"rendered":"Top 20 Nginx WebServer Best Security Practices"},"content":{"rendered":"<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\"><span style=\"color: #888888; float: left; font-size: 3.571em; line-height: 0.76em; margin: 0px; padding: 0.04em 0.12em 0px 0px;\">N<\/span>ginx is a lightweight, high performance web server\/reverse proxy and e-mail (IMAP\/POP3) proxy. It runs on UNIX, GNU\/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows. According to Netcraft, 6% of all domains on the Internet use nginx webserver. Nginx is one of a handful of servers written to address the C10K problem. Unlike traditional servers, Nginx doesn&#8217;t rely on threads to handle requests. Instead it uses a much more scalable event-driven (asynchronous) architecture. Nginx powers several high traffic web sites, such as WordPress, Hulu, Github, and SourceForge. This page collects hints how to improve the security of nginx web servers running on Linux or UNIX like operating systems.<br style=\"margin: 0px; padding: 0px;\" \/><span style=\"margin: 0px; padding: 0px;\"><\/span><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Default Config Files and Nginx Port<\/h2>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">\/usr\/local\/nginx\/conf\/<\/strong>&nbsp;&#8211; The nginx server configuration directory and \/usr\/local\/nginx\/conf\/nginx.conf is main configuration file.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">\/usr\/local\/nginx\/html\/<\/strong>&nbsp;&#8211; The default document location.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">\/usr\/local\/nginx\/logs\/<\/strong>&nbsp;&#8211; The default log file location.<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Nginx&nbsp;<strong style=\"margin: 0px; padding: 0px;\">HTTP default port<\/strong>&nbsp;: TCP 80<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Nginx&nbsp;<strong style=\"margin: 0px; padding: 0px;\">HTTPS default port<\/strong>&nbsp;: TCP 443<\/li>\n<\/ul>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can test nginx configuration changes as follows:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># \/usr\/local\/nginx\/sbin\/nginx -t<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">the configuration file \/usr\/local\/nginx\/conf\/nginx.conf syntax is ok<br \/>configuration file \/usr\/local\/nginx\/conf\/nginx.conf test is successful<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">To load config changes, type:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># \/usr\/local\/nginx\/sbin\/nginx -s reload<\/code><br style=\"margin: 0px; padding: 0px;\" \/>To stop server, type:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># \/usr\/local\/nginx\/sbin\/nginx -s stop<\/code><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#1: Turn On SELinux<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Security-Enhanced Linux (SELinux) is a Linux kernel feature that provides a mechanism for supporting access control security policies which provides great protection. It can stop many attacks before your system rooted. See how to turn on&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-fedora-redhat-selinux-protection\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">SELinux for CentOS \/ RHEL<\/a>&nbsp;based systems.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Do Boolean Lockdown<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Run the getsebool -a command and lockdown system:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">getsebool -a | <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">less<\/span><br \/>getsebool -a | <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">grep<\/span> off<br \/>getsebool -a | <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">grep<\/span> o<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">To secure the machine, look at settings which are set to &#8216;on&#8217; and change to &#8216;off&#8217; if they do not apply to your setup with the help of setsebool command. Set correct SE Linux booleans to maintain functionality and protection. Please note that SELinux adds 2-8% overheads to typical RHEL or CentOS installation.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#2: Allow Minimal Privileges Via Mount Options<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Server all your webpages \/ html \/ php files via separate partitions. For example, create a partition called \/dev\/sda5 and mount at the \/nginx. Make sure \/nginx is mounted with&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-unix-bsd-nginx-webserver-security.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">noexec, nodev and nosetuid<\/a>&nbsp;permissions. Here is my \/etc\/fstab entry for mounting \/nginx:<\/div>\n<pre style=\"background: rgb(238, 238, 2\n38); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">LABEL=\/nginx     \/nginx          ext3   defaults,nosuid,noexec,nodev 1 2<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Note you need to create a new partition using&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/redhat-centos-linux-ext3-filesystem-format-command\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">fdisk and mkfs.ext3<\/a>&nbsp;commands.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#3: Linux \/etc\/sysctl.conf Hardening<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can control and configure Linux kernel and networking settings via&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-kernel-etcsysctl-conf-security-hardening\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">\/etc\/sysctl.conf<\/a>.<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/># Avoid a smurf attack<br \/>net.ipv4.<span style=\"color: #000099; margin: 0px; padding: 0px;\">icmp_echo_ignore_broadcasts <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>&nbsp;<br \/># Turn on protection for bad icmp error messages<br \/>net.ipv4.<span style=\"color: #000099; margin: 0px; padding: 0px;\">icmp_ignore_bogus_error_responses <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>&nbsp;<br \/># Turn on syncookies for SYN flood attack protection<br \/>net.ipv4.<span style=\"color: #000099; margin: 0px; padding: 0px;\">tcp_syncookies <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>&nbsp;<br \/># Turn on and log spoofed, source routed, and redirect packets<br \/>net.ipv4.conf.all.<span style=\"color: #000099; margin: 0px; padding: 0px;\">log_martians <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>net.ipv4.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">log_martians <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>&nbsp;<br \/># No source routed packets here<br \/>net.ipv4.conf.all.<span style=\"color: #000099; margin: 0px; padding: 0px;\">accept_source_route <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv4.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">accept_source_route <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>&nbsp;<br \/># Turn on reverse path filtering<br \/>net.ipv4.conf.all.<span style=\"color: #000099; margin: 0px; padding: 0px;\">rp_filter <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>net.ipv4.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">rp_filter <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>&nbsp;<br \/># Make sure no one can alter the routing tables<br \/>net.ipv4.conf.all.<span style=\"color: #000099; margin: 0px; padding: 0px;\">accept_redirects <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv4.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">accept_redirects <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv4.conf.all.<span style=\"color: #000099; margin: 0px; padding: 0px;\">secure_redirects <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv4.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">secure_redirects <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>&nbsp;<br \/># Don't act as a router<br \/>net.ipv4.<span style=\"color: #000099; margin: 0px; padding: 0px;\">ip_forward <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv4.conf.all.<span style=\"color: #000099; margin: 0px; padding: 0px;\">send_redirects <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv4.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">send_redirects <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>&nbsp;<br \/>&nbsp;<br \/># Turn on execshild<br \/>kernel.exec-<span style=\"color: #000099; margin: 0px; padding: 0px;\">shield <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>kernel.<span style=\"color: #000099; margin: 0px; padding: 0px;\">randomize_va_space <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>&nbsp;<br \/># Tuen IPv6<br \/>net.ipv6.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">router_solicitations <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv6.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">accept_ra_rtr_pref <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv6.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">accept_ra_pinfo <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv6.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">accept_ra_defrtr <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv6.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">autoconf <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv6.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">dad_transmits <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>net.ipv6.conf.default.<span style=\"color: #000099; margin: 0px; padding: 0px;\">max_addresses <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>&nbsp;<br \/># Optimization for port usefor LBs<br \/># Increase system file descriptor limit<br \/>fs.file-<span style=\"color: #000099; margin: 0px; padding: 0px;\">max <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">65535<\/span><\/span><br \/>&nbsp;<br \/># Allow for more PIDs <span style=\"margin: 0px; padding: 0px;\">(<\/span>to reduc\ne rollover problems<span style=\"margin: 0px; padding: 0px;\">)<\/span><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; may break some programs 32768<\/span><br \/>kernel.<span style=\"color: #000099; margin: 0px; padding: 0px;\">pid_max <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">65536<\/span><\/span><br \/>&nbsp;<br \/># Increase system IP port limits<br \/>net.ipv4.<span style=\"color: #000099; margin: 0px; padding: 0px;\">ip_local_port_range <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">2000<\/span> <span style=\"margin: 0px; padding: 0px;\">65000<\/span><\/span><br \/>&nbsp;<br \/># Increase TCP max buffer size setable using setsockopt<span style=\"margin: 0px; padding: 0px;\">(<\/span><span style=\"margin: 0px; padding: 0px;\">)<\/span><br \/>net.ipv4.<span style=\"color: #000099; margin: 0px; padding: 0px;\">tcp_rmem <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">4096<\/span> <span style=\"margin: 0px; padding: 0px;\">87380<\/span> <span style=\"margin: 0px; padding: 0px;\">8388608<\/span><\/span><br \/>net.ipv4.<span style=\"color: #000099; margin: 0px; padding: 0px;\">tcp_wmem <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">4096<\/span> <span style=\"margin: 0px; padding: 0px;\">87380<\/span> <span style=\"margin: 0px; padding: 0px;\">8388608<\/span><\/span><br \/>&nbsp;<br \/># Increase Linux auto tuning TCP buffer limits<br \/># min, default, and max number of bytes to use<br \/># set max to at least 4MB, or higher if you use very high BDP paths<br \/># Tcp Windows etc<br \/>net.core.<span style=\"color: #000099; margin: 0px; padding: 0px;\">rmem_max <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">8388608<\/span><\/span><br \/>net.core.<span style=\"color: #000099; margin: 0px; padding: 0px;\">wmem_max <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">8388608<\/span><\/span><br \/>net.core.<span style=\"color: #000099; margin: 0px; padding: 0px;\">netdev_max_backlog <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">5000<\/span><\/span><br \/>net.ipv4.<span style=\"color: #000099; margin: 0px; padding: 0px;\">tcp_window_scaling <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">1<\/span><\/span><br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">See also:<\/div>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-kernel-tuning-virtual-memory-subsystem\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Linux Tuning The VM<\/a>&nbsp;(memory) Subsystem<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-tcp-tuning\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Linux Tune Network Stack<\/a>&nbsp;(Buffers Size) To Increase Networking Performance<\/li>\n<\/ul>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#4: Remove All Unwanted Nginx Modules<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You need to minimizes the number of modules that are compiled directly into the nginx binary. This minimizes risk by limiting the capabilities allowed by the webserver. You can configure and install nginx using only required modules. For example, disable SSI and autoindex module you can type:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># .\/configure --without-http_autoindex_module --without-http_ssi_module<br style=\"margin: 0px; padding: 0px;\" \/># make<br style=\"margin: 0px; padding: 0px;\" \/># make install<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Type the following command to see which modules can be turn on or off while compiling nginx server:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># .\/configure --help | less<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Disable nginx modules that you don&#8217;t need.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">(Optional) Change Nginx Version Header<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Edit src\/http\/ngx_http_header_filter_module.c, enter:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># vi +48 src\/http\/ngx_http_header_filter_module.c<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Find line<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/><span style=\"color: #993333; margin: 0px; padding: 0px;\">static<\/span> <span style=\"color: #993333; margin: 0px; padding: 0px;\">char<\/span> ngx_http_server_string<span style=\"color: #66cc66; margin: 0px; padding: 0px;\">[<\/span><span style=\"color: #66cc66; margin: 0px; padding: 0px;\">]<\/span> = <span style=\"color: red; margin: 0px; padding: 0px;\">\"Server: nginx\"<\/span> CRLF;<br \/><span style=\"color: #993333; margin: 0px; padding: 0px;\">static<\/span> <span style=\"color: #993333; margin: 0px; padding: 0px;\">char<\/span> ngx_http_server_full_string<span style=\"color: #66cc66; margin: 0px; padding: 0px;\">[<\/span><span style=\"color: #66cc66; margin: 0px; padding: 0px;\">]<\/span> = <span style=\"color: red; margin: 0px; padding: 0px;\">\"Server: \"<\/span> NGINX_VER CRLF;<br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Change them as follows:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/><span style=\"color: #993333; margin: 0px; padding: 0px;\">static<\/span> <span style=\"color: #993333; margin: 0px; paddi\nng: 0px;\">char<\/span> ngx_http_server_string<span style=\"color: #66cc66; margin: 0px; padding: 0px;\">[<\/span><span style=\"color: #66cc66; margin: 0px; padding: 0px;\">]<\/span> = <span style=\"color: red; margin: 0px; padding: 0px;\">\"Server: Ninja Web Server\"<\/span> CRLF;<br \/><span style=\"color: #993333; margin: 0px; padding: 0px;\">static<\/span> <span style=\"color: #993333; margin: 0px; padding: 0px;\">char<\/span> ngx_http_server_full_string<span style=\"color: #66cc66; margin: 0px; padding: 0px;\">[<\/span><span style=\"color: #66cc66; margin: 0px; padding: 0px;\">]<\/span> = <span style=\"color: red; margin: 0px; padding: 0px;\">\"Server: Ninja Web Server\"<\/span> CRLF;<br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Save and close the file. Now, you can compile the server. Add the following in nginx.conf to turn off nginx version number displayed on all auto generated error pages:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">server_tokens off<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#5: Use mod_security (only for backend Apache servers)<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">mod_security provides an application level firewall for Apache. Install&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-fedora-centos-httpd-mod_security-configuration\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">mod_security for all backend<\/a>&nbsp;Apache web servers. This will stop many injection attacks.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#6: Install SELinux Policy To Harden The Nginx Webserver<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">By default SELinux will not protect the nginx web server. However, you can install and compile protection as follows. First, install required SELinux compile time support:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># yum -y install selinux-policy-targeted selinux-policy-devel<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Download targeted SELinux policies to harden the nginx webserver on Linux servers from the<a href=\"http:\/\/sourceforge.net\/projects\/selinuxnginx\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">project home<\/a>&nbsp;page:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># cd \/opt<br style=\"margin: 0px; padding: 0px;\" \/># wget 'http:\/\/downloads.sourceforge.net\/project\/selinuxnginx\/se-ngix_1_0_10.tar.gz?use_mirror=nchc'<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Untar the same:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># tar -zxvf se-ngix_1_0_10.tar.gz<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Compile the same<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># cd se-ngix_1_0_10\/nginx<br style=\"margin: 0px; padding: 0px;\" \/># make<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">Compiling targeted nginx module<br \/>\/usr\/bin\/checkmodule:  loading policy configuration from tmp\/nginx.tmp<br \/>\/usr\/bin\/checkmodule:  policy configuration loaded<br \/>\/usr\/bin\/checkmodule:  writing binary representation (version 6) to tmp\/nginx.mod<br \/>Creating targeted nginx.pp policy package<br \/>rm tmp\/nginx.mod.fc tmp\/nginx.mod<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Install the resulting nginx.pp SELinux module:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># \/usr\/sbin\/semodule -i nginx.pp<\/code><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#7: Restrictive Iptables Based Firewall<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The following firewall script blocks everything and only allows:<\/div>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">Incoming HTTP (TCP port 80) requests<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Incoming ICMP ping requests<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Outgoing ntp (port 123) requests<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Outgoing smtp (TCP port 25) requests<\/li>\n<\/ul>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">#!\/bin\/bash<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">IPT=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"\/sbin\/iptables\"<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">#### IPS ######<\/span><br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">#\nGet server public ip <\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">SERVER_IP=<\/span>$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">(<\/span>ifconfig eth0 | <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">grep<\/span> <span style=\"color: red; margin: 0px; padding: 0px;\">'inet addr:'<\/span> | <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">awk<\/span> -F<span style=\"color: red; margin: 0px; padding: 0px;\">'inet addr:'<\/span> <span style=\"color: red; margin: 0px; padding: 0px;\">'{ print $2}'<\/span> | <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">awk<\/span> <span style=\"color: red; margin: 0px; padding: 0px;\">'{ print $1}'<\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">)<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">LB1_IP=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"204.54.1.1\"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">LB2_IP=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"204.54.1.2\"<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Do some smart logic so that we can use damm script on LB2 too<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">OTHER_LB=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"\"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">SERVER_IP=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"\"<\/span><br \/><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">[<\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">[<\/span> <span style=\"color: red; margin: 0px; padding: 0px;\">\"$SERVER_IP\"<\/span> == <span style=\"color: red; margin: 0px; padding: 0px;\">\"$LB1_IP\"<\/span> <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">]<\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">]<\/span> &amp;&amp; <span style=\"color: #007800; margin: 0px; padding: 0px;\">OTHER_LB=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"$LB2_IP\"<\/span> || <span style=\"color: #007800; margin: 0px; padding: 0px;\">OTHER_LB=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"$LB1_IP\"<\/span><br \/><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">[<\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">[<\/span> <span style=\"color: red; margin: 0px; padding: 0px;\">\"$OTHER_LB\"<\/span> == <span style=\"color: red; margin: 0px; padding: 0px;\">\"$LB2_IP\"<\/span> <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">]<\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">]<\/span> &amp;&amp; <span style=\"color: #007800; margin: 0px; padding: 0px;\">OPP_LB=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"$LB1_IP\"<\/span> || <span style=\"color: #007800; margin: 0px; padding: 0px;\">OPP_LB=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"$LB2_IP\"<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">### IPs ###<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">PUB_SSH_ONLY=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"122.xx.yy.zz\/29\"<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">#### FILES #####<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">BLOCKED_IP_TDB=<\/span>\/root\/.fw\/blocked.ip.txt<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">SPOOFIP=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"127.0.0.0\/8 192.168.0.0\/16 172.16.0.0\/12 10.0.0.0\/8 169.254.0.0\/16 0.0.0.0\/8 240.0.0.0\/4 255.255.255.255\/32 168.254.0.0\/16 224.0.0.0\/4 240.0.0.0\/5 248.0.0.0\/5 192.0.2.0\/24\"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">BADIPS=<\/span>$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">(<\/span> <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">[<\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">[<\/span> -f <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>BLOCKED_IP_TDB<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">]<\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">]<\/span> &amp;&amp; <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">egrep<\/span> -v <span style=\"color: red; margin: 0px; padding: 0px;\">\"^#|^$\"<\/span> <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>BLOCKED_IP_TDB<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">)<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">### Interfaces ###<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">PUB_IF=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"eth0\"<\/span>   <span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># public interface<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">LO_IF=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"lo\"<\/span>      <span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># loopback<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">VPN_IF=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"eth1\"<\/span>   <span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># vpn \/ private net<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">### start firewall ###<\/span><br \/><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">echo<\/span> <span style=\"color: red; margin: 0px; padding: 0px;\">\"Setting LB1 $(hostname) Firewall...\"<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># DROP and close everything <\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -P INPUT DROP<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -P OUTPUT DROP<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -P FORWARD DROP<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Unlimited lo access<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>LO_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A OUTPUT -o <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>LO_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -j ACCEPT<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Unlimited vpn \/ pnet access<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>VPN_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A OUTPUT -o <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span styl\ne=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>VPN_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -j ACCEPT<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Drop sync<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp ! --syn -m state --state NEW -j DROP<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Drop Fragments<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -f -j DROP<br \/>&nbsp;<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags ALL ALL -j DROP<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Drop NULL packets<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags ALL NONE -m limit --limit <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span>\/m --limit-burst <span style=\"color: black; margin: 0px; padding: 0px;\">7<\/span> -j LOG --log-prefix <span style=\"color: red; margin: 0px; padding: 0px;\">\" NULL Packets \"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags ALL NONE -j DROP<br \/>&nbsp;<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags SYN,RST SYN,RST -j DROP<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Drop XMAS<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span>\/m --limit-burst <span style=\"color: black; margin: 0px; padding: 0px;\">7<\/span> -j LOG --log-prefix <span style=\"color: red; margin: 0px; padding: 0px;\">\" XMAS Packets \"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Drop FIN packet scans<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags FIN,ACK FIN -m limit --limit <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span>\/m --limit-burst <span style=\"color: black; margin: 0px; padding: 0px;\">7<\/span> -j LOG --log-prefix <span style=\"color: red; margin: 0px; padding: 0px;\">\" Fin Packets Scan \"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags FIN,ACK FIN -j DROP<br \/>&nbsp;<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Log and get rid of broadcast \/ multicast and invalid <\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m pkttype --pkt-<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">type<\/span> broadcast -j LOG --log-prefix <span style=\"color: red; margin: 0px; padding: 0px;\">\" Broadcast \"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m pkttype --pkt-<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">type<\/span> broadcast -j DROP<br \/>&nbsp;<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m pkttype --pkt-<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">type<\/span> multicast -j LOG --log-prefix <span style=\"color: red; margin: 0px; padding: 0px;\">\" Multicast \"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m pkttype --pkt-<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">type<\/span> multicast -j DROP<br \/>&nbsp;<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #0\n07800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m state --state INVALID -j LOG --log-prefix <span style=\"color: red; margin: 0px; padding: 0px;\">\" Invalid \"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span>  -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m state --state INVALID -j DROP<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Log and block spoofed ips<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -N spooflist<br \/><span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">for<\/span> ipblock <span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">in<\/span> <span style=\"color: #007800; margin: 0px; padding: 0px;\">$SPOOFIP<\/span><br \/><span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">do<\/span><br \/>         <span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A spooflist -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -s <span style=\"color: #007800; margin: 0px; padding: 0px;\">$ipblock<\/span> -j LOG --log-prefix <span style=\"color: red; margin: 0px; padding: 0px;\">\" SPOOF List Block \"<\/span><br \/>         <span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A spooflist -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -s <span style=\"color: #007800; margin: 0px; padding: 0px;\">$ipblock<\/span> -j DROP<br \/><span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">done<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -I INPUT -j spooflist<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -I OUTPUT -j spooflist<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -I FORWARD -j spooflist<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Allow <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">ssh<\/span> only from selected public ips<\/span><br \/><span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">for<\/span> ip <span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">in<\/span> <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_SSH_ONLY<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span><br \/><span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">do<\/span><br \/>        <span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -s <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>ip<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp -d <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>SERVER_IP<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> --destination-port <span style=\"color: black; margin: 0px; padding: 0px;\">22<\/span> -j ACCEPT<br \/>        <span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A OUTPUT -o <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -d <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>ip<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp -s <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>SERVER_IP<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> --sport <span style=\"color: black; margin: 0px; padding: 0px;\">22<\/span> -j ACCEPT<br \/><span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">done<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># allow incoming ICMP <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">ping<\/span> pong stuff<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p icmp --icmp-<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">type<\/span> <span style=\"color: black; margin: 0px; padding: 0px;\">8<\/span> -s <span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span>\/<span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span> -m state --state NEW,ESTABLISHED,RELATED -m limit --limit <span style=\"color: black; margin: 0px; padding: 0px;\">30<\/span>\/sec  -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A OUTPUT -o <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p icmp --icmp-<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">type<\/span> <span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span> -d <span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span>\/<span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span> -m state --state ESTABLISHED,RELATED -j ACCEPT<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># allow incoming HTTP port <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span><\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp -s <span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span>\/<span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span> --sport <span style=\"color: black; margin: 0px; padding: 0px;\">1024<\/span>:<span style=\"color: black; margin: 0px; padding: 0px;\">65535<\/span> --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -m state --state NEW,ESTABLISHED -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A OUTPUT -o <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --sport <span style=\"color: black; margin: 0px; padding: 0px;\"\n>80<\/span> -d <span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span>\/<span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span> --dport <span style=\"color: black; margin: 0px; padding: 0px;\">1024<\/span>:<span style=\"color: black; margin: 0px; padding: 0px;\">65535<\/span> -m state --state ESTABLISHED -j ACCEPT<br \/>&nbsp;<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># allow outgoing ntp <\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A OUTPUT -o <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p udp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">123<\/span> -m state --state NEW,ESTABLISHED -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p udp --sport <span style=\"color: black; margin: 0px; padding: 0px;\">123<\/span> -m state --state ESTABLISHED -j ACCEPT<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># allow outgoing smtp<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A OUTPUT -o <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">25<\/span> -m state --state NEW,ESTABLISHED -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>PUB_IF<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --sport <span style=\"color: black; margin: 0px; padding: 0px;\">25<\/span> -m state --state ESTABLISHED -j ACCEPT<br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">### add your other rules here ####<\/span><br \/>&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">#######################<\/span><br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># drop and log everything else<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -m limit --limit <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span>\/m --limit-burst <span style=\"color: black; margin: 0px; padding: 0px;\">7<\/span> -j LOG --log-prefix <span style=\"color: red; margin: 0px; padding: 0px;\">\" DEFAULT DROP \"<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -j DROP<br \/>&nbsp;<br \/><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">exit<\/span> <span style=\"color: black; margin: 0px; padding: 0px;\">0<\/span><\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#8: Controlling Buffer Overflow Attacks<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Edit nginx.conf and set the buffer size limitations for all clients.<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># vi \/usr\/local\/nginx\/conf\/nginx.conf<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Edit and set the buffer size limitations for all clients as follows:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/> ## Start: Size Limits &amp; Buffer Overflows ##<br \/>  client_body_buffer_size  1K<span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>  client_header_buffer_size 1k<span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>  client_max_body_size 1k<span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>  large_client_header_buffers <span style=\"margin: 0px; padding: 0px;\">2<\/span> 1k<span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/> ## END: Size Limits &amp; Buffer Overflows ##<br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Where,<\/div>\n<ol style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">client_body_buffer_size 1k<\/strong>&nbsp;&#8211; (default is 8k or 16k) The directive specifies the client request body buffer size.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">client_header_buffer_size 1k<\/strong>&nbsp;&#8211; Directive sets the headerbuffer size for the request header from client. For the overwhelming majority of requests a buffer size of 1K is sufficient. Increase this if you have a custom header or a large cookie sent from the client (e.g., wap client).<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">client_max_body_size 1k<\/strong>&#8211; Directive assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request. If size is greater the given one, then the client gets the error &#8220;Request Entity Too Large&#8221; (413). Increase this when you are getting file uploads via the POST method.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">large_client_header_buffers 2 1k<\/strong>&nbsp;&#8211; Directive assigns the maximum number and size of buffers for large headers to read from client request. By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K, if at the end of working request connection converts to state keep-alive, then these buffers are freed. 2x1k will accept 2kB data URI. This will also help combat bad bots and DoS attacks.<\/li>\n<\/ol>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You also need to control timeouts to improve server performance and cut clients. Edit it as follows:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/> ## Start: Timeouts ##<br \/>  client_body_timeout   <span style=\"margin: 0px; padding: 0px;\">10<\/span><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>  client_header_timeout <span styl\ne=\"margin: 0px; padding: 0px;\">10<\/span><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>  keepalive_timeout     <span style=\"margin: 0px; padding: 0px;\">5<\/span> <span style=\"margin: 0px; padding: 0px;\">5<\/span><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>  send_timeout          <span style=\"margin: 0px; padding: 0px;\">10<\/span><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>## End: Timeouts ##<br \/>&nbsp;<\/pre>\n<ol style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">client_body_timeout 10;<\/strong>&nbsp;&#8211; Directive sets the read timeout for the request body from client. The timeout is set only if a body is not get in one readstep. If after this time the client send nothing, nginx returns error &#8220;Request time out&#8221; (408). The default is 60.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">client_header_timeout 10;<\/strong>&nbsp;&#8211; Directive assigns timeout with reading of the title of the request of client. The timeout is set only if a header is not get in one readstep. If after this time the client send nothing, nginx returns error &#8220;Request time out&#8221; (408).<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">keepalive_timeout 5 5;<\/strong>&nbsp;&#8211; The first parameter assigns the timeout for keep-alive connections with the client. The server will close connections after this time. The optional second parameter assigns the time value in the header Keep-Alive: timeout=time of the response. This header can convince some browsers to close the connection, so that the server does not have to. Without this parameter, nginx does not send a Keep-Alive header (though this is not what makes a connection &#8220;keep-alive&#8221;).<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">send_timeout 10;<\/strong>&nbsp;&#8211; Directive assigns response timeout to client. Timeout is established not on entire transfer of answer, but only between two operations of reading, if after this time client will take nothing, then nginx is shutting down the connection.<\/li>\n<\/ol>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#9: Control Simultaneous Connections<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can use NginxHttpLimitZone module to limit the number of simultaneous connections for the assigned session or as a special case, from one IP address. Edit nginx.conf:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/>### Directive describes the zone, in which the session states are stored i.e. store in slimits. ###<br \/>### 1m can handle <span style=\"margin: 0px; padding: 0px;\">32000<\/span> sessions with <span style=\"margin: 0px; padding: 0px;\">32<\/span> bytes\/session, set to 5m x <span style=\"margin: 0px; padding: 0px;\">32000<\/span> session ###<br \/>       limit_zone slimits $binary_remote_addr 5m<span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>&nbsp;<br \/>### Control maximum number of simultaneous connections for one session i.e. ###<br \/>### restricts the amount of connections from a single ip address ###<br \/>        limit_conn slimits <span style=\"margin: 0px; padding: 0px;\">5<\/span><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">;<\/span><br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The above will limits remote clients to no more than 5 concurrently &#8220;open&#8221; connections per remote ip address.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#10: Allow Access To Our Domain Only<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">If bot is just making random server scan for all domains, just deny it. You must only allow configured virtual domain or reverse proxy requests. You don&#8217;t want to display request using an IP address:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">## Only requests to our Host are allowed i.e. nixcraft.in, images.nixcraft.in and www.nixcraft.in<br \/>      if ($host !~ ^(nixcraft.in|www.nixcraft.in|images.nixcraft.in)$ ) {<br \/>         return 444;<br \/>      }<br \/>##<br \/><\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#11: Limit Available Methods<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">GET and POST are the most common methods on the Internet. Web server methods are defined in&nbsp;<a href=\"http:\/\/www.ietf.org\/rfc\/rfc2616.txt\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">RFC 2616<\/a>. If a web server does not require the implementation of all available methods, they should be disabled. The following will filter and only allow GET, HEAD and POST methods:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">## Only allow these request methods ##<br \/>     if ($request_method !~ ^(GET|HEAD|POST)$ ) {<br \/>         return 444;<br \/>     }<br \/>## Do not accept DELETE, SEARCH and other methods ##<br \/><\/pre>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">More About HTTP Methods<\/h3>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">The GET method is used to request document such as http:\/\/www.cyberciti.biz\/index.php.<\/li>\n<li style=\"margin: 0px; padding: 0px;\">The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response.<\/li>\n<li style=\"margin: 0px; padding: 0px;\">The POST method may involve anything, like storing or updating data, or ordering a product, or sending E-mail by submitting the form. This is usually processed using the server side scripting such as PHP, PERL, Python and so on. You must use this if you want to upload files and process forms on server.<\/li>\n<\/ul>\n<h2 style=\"background\n-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#12: How Do I Deny Certain User-Agents?<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can easily block user-agents i.e. scanners, bots, and spammers who may be abusing your server.<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">## Block download agents ##<br \/>     if ($http_user_agent ~* LWP::Simple|BBBike|wget) {<br \/>            return 403;<br \/>     }<br \/>##<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Block robots called msnbot and scrapbot:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">## Block some robots ##<br \/>     if ($http_user_agent ~* msnbot|scrapbot) {<br \/>            return 403;<br \/>     }<br \/><\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#12: How Do I Block Referral Spam?<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Referer spam is dengerouns. It can harm your SEO ranking via web-logs (if published) as referer field refer to their spammy site. You can block access to referer spammers with these lines.<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">## Deny certain Referers ###<br \/>     if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )<br \/>     {<br \/>         # return 404;<br \/>         return 403;<br \/>     }<br \/>##<br \/><\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#13: How Do I Stop Image Hotlinking?<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Image or HTML hotlinking means someone makes a link to your site to one of your images, but displays it on their own site. The end result you will end up paying for bandwidth bills and make the content look like part of the hijacker&#8217;s site. This is usually done on forums and blogs. I strongly suggest you block and stop image hotlinking at your server level itself.<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># Stop deep linking or hot linking<br \/>location \/images\/ {<br \/>  valid_referers none blocked www.example.com example.com;<br \/>   if ($invalid_referer) {<br \/>     return   403;<br \/>   }<br \/>}<\/pre>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Example: Rewrite And Display Image<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Another example with link to banned image:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">valid_referers blocked www.example.com example.com;<br \/> if ($invalid_referer) {<br \/>  rewrite ^\/images\/uploads.*.(gif|jpg|jpeg|png)$ http:\/\/www.examples.com\/banned.jpg last<br \/> }<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">See also:<\/div>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">HowTo:&nbsp;<a href=\"http:\/\/nginx.org\/pipermail\/nginx\/2007-June\/001082.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Use nginx map<\/a>&nbsp;to block image hotlinking. This is useful if you want to block tons of domains.<\/li>\n<\/ul>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#14: Directory Restrictions<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can set access control for a specified directory. All web directories should be configured on a case-by-case basis, allowing access only where needed.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Limiting Access By Ip Address<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can limit access to directory&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-unix-nginx-access-control-howto\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">by ip address<\/a>&nbsp;to \/docs\/ directory:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">location \/docs\/ {<br \/>  ## block one workstation<br \/>  deny    192.168.1.1;<br \/>  ## allow anyone in 192.168.1.0\/24<br \/>  allow   192.168.1.0\/24;<br \/>  ## drop rest of the world<br \/>  deny    all;<br \/>}<\/pre>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Password Protect The Directory<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">First creat<br \/>\ne the password file and add a user called vivek:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># mkdir \/usr\/local\/nginx\/conf\/.htpasswd\/<br style=\"margin: 0px; padding: 0px;\" \/># htpasswd -c \/usr\/local\/nginx\/conf\/.htpasswd\/passwd vivek<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Edit nginx.conf and protect the required directories as follows:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">### Password Protect \/personal-images\/ and \/delta\/ directories ###<br \/>location ~ \/(personal-images\/.*|delta\/.*) {<br \/>  auth_basic  \"Restricted\";<br \/>  auth_basic_user_file   \/usr\/local\/nginx\/conf\/.htpasswd\/passwd;<br \/>}<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Once a password file has been generated, subsequent users can be added with the following command:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># htpasswd -s \/usr\/local\/nginx\/conf\/.htpasswd\/passwd userName<\/code><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#15: Nginx SSL Configuration<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">HTTP is a plain text protocol and it is open to passive monitoring. You should use SSL to to encrypt your content for users.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Create an SSL Certificate<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Type the following commands:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># cd \/usr\/local\/nginx\/conf<br style=\"margin: 0px; padding: 0px;\" \/># openssl genrsa -des3 -out server.key 1024<br style=\"margin: 0px; padding: 0px;\" \/># openssl req -new -key server.key -out server.csr<br style=\"margin: 0px; padding: 0px;\" \/># cp server.key server.key.org<br style=\"margin: 0px; padding: 0px;\" \/># openssl rsa -in server.key.org -out server.key<br style=\"margin: 0px; padding: 0px;\" \/># openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Edit nginx.conf and update it as follows:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">server {<br \/>    server_name example.com;<br \/>    listen 443;<br \/>    ssl on;<br \/>    ssl_certificate \/usr\/local\/nginx\/conf\/server.crt;<br \/>    ssl_certificate_key \/usr\/local\/nginx\/conf\/server.key;<br \/>    access_log \/usr\/local\/nginx\/logs\/ssl.access.log;<br \/>    error_log \/usr\/local\/nginx\/logs\/ssl.error.log;<br \/>}<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Restart the nginx:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># \/usr\/local\/nginx\/sbin\/nginx -s reload<\/code><br style=\"margin: 0px; padding: 0px;\" \/>See also:<\/div>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">For more information, read the&nbsp;<a href=\"http:\/\/wiki.nginx.org\/NginxHttpSslModule\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Nginx SSL documentation<\/a>.<\/li>\n<\/ul>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#16: Nginx And PHP Security Tips<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">PHP is one of the popular server side scripting language. Edit \/etc\/php.ini as follows:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/># Disallow dangerous functions<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">disable_functions <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> phpinfo, system, mail, exec<\/span><br \/>&nbsp;<br \/>## Try to limit resources  ##<br \/>&nbsp;<br \/># Maximum execution time of each script, in seconds<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">max_execution_time <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">30<\/span><\/span><br \/>&nbsp;<br \/># Maximum amount of time each script may spend parsing request data<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">max_input_time <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">60<\/span><\/span><br \/>&nbsp;<br \/># Maximum amount of memory a script may consume <span style=\"margin: 0px; padding: 0px;\">(<\/span>8MB<span style=\"margin: 0px; padding: 0px;\">)<\/span><br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">memory_limit <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> 8M<\/span><br \/>&nbsp;<br \/># Maximum size of POST data that PHP will accept.<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">post_max_size <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> 8M<\/span><br \/>&nbsp;<br \/># Whether to allow HTTP file uploads.<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">file_uploads <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> Off<\/span><br \/>&nbsp;<br \/># Maximum allowed size\n for uploaded files.<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">upload_max_filesize <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> 2M<\/span><br \/>&nbsp;<br \/># Do not expose PHP error messages to external users<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">display_errors <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> Off<\/span><br \/>&nbsp;<br \/># Turn on safe mode<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">safe_mode <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> On<\/span><br \/>&nbsp;<br \/># Only allow access to executables in isolated directory<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">safe_mode_exec_dir <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> php-required-executables-path<\/span><br \/>&nbsp;<br \/># Limit external access to PHP environment<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">safe_mode_allowed_env_vars <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> PHP_<\/span><br \/>&nbsp;<br \/># Restrict PHP information leakage<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">expose_php <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> Off<\/span><br \/>&nbsp;<br \/># Log all errors<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">log_errors <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> On<\/span><br \/>&nbsp;<br \/># Do not register globals for input data<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">register_globals <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> Off<\/span><br \/>&nbsp;<br \/># Minimize allowable PHP post size<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">post_max_size <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> 1K<\/span><br \/>&nbsp;<br \/># Ensure PHP redirects appropriately<br \/>cgi.<span style=\"color: #000099; margin: 0px; padding: 0px;\">force_redirect <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/span><br \/>&nbsp;<br \/># Disallow uploading unless necessary<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">file_uploads <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> Off<\/span><br \/>&nbsp;<br \/># Enable SQL safe mode<br \/>sql.<span style=\"color: #000099; margin: 0px; padding: 0px;\">safe_mode <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> On<\/span><br \/>&nbsp;<br \/># Avoid Opening remote files<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">allow_url_fopen <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> Off<\/span><br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">See also:<\/div>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.cyberciti.biz\/faq\/php-resources-limits\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">PHP Security: Limit Resources Used By Script<\/a><\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-unix-apache-lighttpd-phpini-disable-functions\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security<\/a><\/li>\n<\/ul>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#17: Run Nginx In A Chroot Jail (Containers) If Possible<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Putting nginx in a chroot jail minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-run-nginx-in-a-chroot-jail\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">can use traditional chroot kind<\/a>&nbsp;of setup with nginx. If possible use&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-setup-freebsd-jail-with-ezjail\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">FreeBSD jails<\/a>,&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/rhel-centos-xen-virtualization-installation-howto.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">XEN<\/a>, or&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/openvz-rhel-centos-linux-tutorial\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">OpenVZ<\/a>&nbsp;virtualization which uses the concept of containers.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#18: Limits Connections Per IP At The Firewall Level<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">A webserver must keep an eye on connections and limit connections per second. This is serving 101. Both pf and iptables can throttle end users before accessing your nginx server.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Linux Iptables: Throttle Nginx Connections Per Second<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The following example&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/lighttpd-set-throughput-connections-per-ip.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">will drop incoming<\/a>&nbsp;connections if IP make more than 15 connection attempts to port 80 within 60 seconds:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/>\/sbin\/iptables -A INPUT -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -i eth0 -m state --state NEW -m recent --<span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">set<\/span><br \/>\/sbin\/iptables -A INPUT -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -i eth0 -m state --state NEW -m recent --update --seconds <span style=\"color: black; margin: 0px; padding: 0px;\">60<\/span>  --hitcount <span style=\"color: black; margin: 0px; padding: 0px;\">15<\/span> -j DROP<br \/>service iptables save<br \/>&nbsp;<\/pre>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">BSD PF: Throttle Nginx Connections Per Second<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Edit your&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/opebsd-pf-firewall-block-subnets-ip-address\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">\/etc\/pf.conf<\/a>&nbsp;and update it as follows. The following will limits the maximum number of connections per source to 100. 15\/5 specifies the number of connections per second or span of seconds i.e. rate li<br \/>\nmit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #007800; margin: 0px; padding: 0px;\">webserver_ip=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"202.54.1.1\"<\/span><br \/>table &lt;abusive_ips&gt; persist<br \/>block <span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">in<\/span> quick from &lt;abusive_ips&gt;<br \/>pass <span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">in<\/span> on <span style=\"color: #007800; margin: 0px; padding: 0px;\">$ext_if<\/span> proto tcp to <span style=\"color: #007800; margin: 0px; padding: 0px;\">$webserver_ip<\/span> port www flags S\/SA keep state <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">(<\/span>max-src-conn <span style=\"color: black; margin: 0px; padding: 0px;\">100<\/span>, max-src-conn-rate <span style=\"color: black; margin: 0px; padding: 0px;\">15<\/span>\/<span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span>, overload &lt;abusive_ips&gt; flush<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">)<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Please adjust all values as per your requirements and traffic (browsers may open multiple connections to your site). See also:<\/div>\n<ol style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">Sample&nbsp;<a href=\"http:\/\/bash.cyberciti.biz\/firewall\/pf-firewall-script\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">PF firewall<\/a>&nbsp;script.<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Sample&nbsp;<a href=\"http:\/\/bash.cyberciti.biz\/firewall\/linux-iptables-firewall-shell-script-for-standalone-server\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Iptables firewall<\/a>&nbsp;script.<\/li>\n<\/ol>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#19: Configure Operating System to Protect Web Server<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Turn on SELinux as described above. Set correct permissions on \/nginx document root. The nginx runs as a user named nginx. However, the files in the DocumentRoot (\/nginx or \/usr\/local\/nginx\/html) should not be owned or writable by that user. To find files with wrong permissions, use:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># find \/nginx -user nginx<br style=\"margin: 0px; padding: 0px;\" \/># find \/usr\/local\/nginx\/html -user nginx<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Make sure you change file ownership to root or other user. A typical set of permission \/usr\/local\/nginx\/html\/<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># ls -l \/usr\/local\/nginx\/html\/<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">-rw-r--r-- 1 root root 925 Jan  3 00:50 error4xx.html<br \/>-rw-r--r-- 1 root root  52 Jan  3 10:00 error5xx.html<br \/>-rw-r--r-- 1 root root 134 Jan  3 00:52 index.html<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You must delete unwated backup files created by vi or other text editor:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># find \/nginx -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*'<br style=\"margin: 0px; padding: 0px;\" \/># find \/usr\/local\/nginx\/html\/ -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*'<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Pass -delete option to find command and it will get rid of those files too.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#20: Restrict Outgoing Nginx Connections<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The crackers will download file locally on your server using tools such as wget. Use iptables to block outgoing connections from nginx user. The&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">ipt_owner module attempts<\/a>&nbsp;to match various characteristics of the packet creator, for locally generated packets. It is only valid in the OUTPUT chain. In this example, allow vivek user to connect outside using port 80 (useful for RHN access or to grab CentOS updates via repos):<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">\/sbin\/iptables -A OUTPUT -o eth0 -m owner --uid-owner vivek -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -m state --state NEW,ESTABLISHED  -j ACCEPT<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Add above rule to your iptables based shell script. Do not allow nginx web server user to connect outside.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Bounce Tip: Watching Your Logs &amp; Auditing<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'H\nelvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Check the Log files. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present or not.<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># grep \"\/login.php??\" \/usr\/local\/nginx\/logs\/access_log<br style=\"margin: 0px; padding: 0px;\" \/># grep \"...etc\/passwd\" \/usr\/local\/nginx\/logs\/access_log<br style=\"margin: 0px; padding: 0px;\" \/># egrep -i \"denied|error|warn\" \/usr\/local\/nginx\/logs\/error_log<\/code><br style=\"margin: 0px; padding: 0px;\" \/>The auditd service is provided for system auditing. Turn it on to&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-audit-files-to-see-who-made-changes-to-a-file.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">audit service<\/a>&nbsp;SELinux events, authetication events, file modifications, account modification and so on. As usual disable all services and&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-security.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">follow our &#8220;Linux Server Hardening&#8221;<\/a>&nbsp;security tips.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Conclusion<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Your nginx server is now properly harden and ready to server webpages. However, you should be consulted further resources for your web applications security needs. For example, wordpress or any other third party apps has its own security requirements.<\/div>\n<h4 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px; padding: 0px;\">References:<\/h4>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">HowTo: Setup&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/series\/keepalived-nginx-ha-cluster\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">nginx reverse proxy<\/a>&nbsp;and HA cluser with the help of keepalived.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/wiki.nginx.org\/Main\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">nginx wiki<\/a>&nbsp;&#8211; The official nginx wiki.<\/li>\n<li style=\"margin: 0px; padding: 0px;\">OpenBSD specific&nbsp;<a href=\"https:\/\/calomel.org\/nginx.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Nginx installation<\/a>&nbsp;and security how to.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Nginx is a lightweight, high performance web server\/reverse proxy and e-mail (IMAP\/POP3) proxy. It runs on UNIX, GNU\/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows. According to Netcraft, 6% of all domains on&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-69","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/69","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/comments?post=69"}],"version-history":[{"count":0,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/69\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media?parent=69"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/categories?post=69"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/tags?post=69"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}